Table of Contents
Advertisement
Constraints-Specific Policy Module Reference
ValidityConstraints
The
ValidityConstraints
validity periods for certificates and changes them if the policy is not met.
Specifically, the policy imposes constraints on the following:
•
The duration of a certificate's validity period (based on supported minimum
and maximum validity periods).
•
The lead and lag time for the beginning date and time (the
notAfter
into the front or back the
If this policy rule is enabled, the server applies the rule to the certificate request
being processed, and then determines if the validity period in the request is
acceptable. The rule checks two X.509 attributes of the certificate, the
and
notAfter
make sure that they conform to the configured ranges.
The rule checks that the value of the
than
the plug-in implementation. The ability to configure the value of the
parameter in the policy rule allows you to prohibit end entities from requesting
certificates whose validity starts too far in the future, and yet allows some amount
of toleration of clock-skew problems. For example, if the current date and time is
01/15/2000
set to
because the validity requested begins more than 10 minutes in the future.
The rule also checks that the value of the
more than
01/15/2000
set to 1:15 p.m., and the
because the user has requested a certificate
request with
NOTE
You may apply this policy to end-entity certificate enrollment requests.
506
Netscape Certificate Management System Administrator's Guide • June 2003
attributes in certificate requests) for the validity period; how far back
time, which together indicate the total validity life of a certificate, to
minutes in the future; the
leadTime
(
) and
mm/dd/YYYY
., and that the
3:00 p.m
minutes in the past. For example, if the current date and time is
lagTime
(
) and
mm/dd/yyyy
lagTime
set to
notBefore
plug-in module enforces minimum and maximum
date could go in minutes.
notBefore
attribute in the request is not more
notBefore
leadTime
., the value of the
1:30 p.m
is
minutes, then the request would fail,
leadTime
10
notBefore
., the value of the
1:30 p.m
is set to
minutes, the request would fail
10
minutes in the past. Note that a
15
p.m. would have passed, however.
1:25
notBefore
notBefore
notBefore
is a configurable parameter in
leadTime
attribute is
notBefore
attribute in the request is not
attribute is
notBefore
and
Advertisement
Table of Contents
