Netscape Certificate Management System Administrator's Guide: Introduction to Policy

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Contents

Index

Bookshelf

Chapter 15 Introduction to Policy

You can configure the main subsystems of Netscape Certificate Management System (CMS)--the Certificate Manager, Registration Manager, and Data Recovery Manager--to apply certain organizational policies on an end entity's certificate enrollment and management requests before servicing them. For example, some of the policies you might want a Certificate Manager to impose on these requests may include setting a minimum and maximum limit on validity period and key length of certificates, setting extensions based on the end entity's role within an organization, setting signing algorithms, and so on.

This chapter provides an overview of policy in general, and it explains the various policy plug-ins supported out of the box.

The chapter has the following sections:

What Is Policy?

Policy Rules

Policy Processor

Built-in Policy Plug-in Modules

What Is Policy?

Policy refers to a set of rules that Certificate Management System uses to evaluate or verify an incoming request from an end entity and to determine the outcome; the incoming requests that are governed by policies include certificate issuance, certificate renewal, certificate revocation, key archival, and key recovery requests. For example, in the case of a certificate issuance request, the outcome would be the certificate content.

A Certificate Manager's policy can include rules for evaluating certificate formulation, signing, renewal, and revocation requests. For example, you can configure a Certificate Manager's policy to impose restrictions on validity length, key type, key length, subject name, extensions, and signing algorithm during certificate issuance.

A Registration Manager's policy can include rules for verifying incoming certificate issuance, renewal, and revocation requests from end entities in order to formulate the certificate content before forwarding the requests to a Certificate Manager for signing. For example, you can configure a Registration Manager's policy to impose restrictions on validity period, key length, subject name, and extensions. In general, policies for Registration Manager are largely the same as for Certificate Manager.

A Data Recovery Manager's policy can include rules for verifying users' encryption private key archival and recovery requests.

Using policies, you can configure Certificate Management System to perform one or more of the following operations on each certificate issuance or management request it receives:

Screen the request for specific content, and modify, reject, or defer (for agent approval) it accordingly. For example, the request might be checked for the inclusion of organizational constraints, such as key algorithm, key size, validity period, or a particular signing algorithm; if it did not meet the requirement, the subsystem would modify the request or return an error, depending on the severity of the problem.

Set common attributes, such as extensions for user and server certificate requests.

Policy Rules

A policy rule refers to a uniquely configured instance of any policy plug-in implementation; see "Built-in Policy Plug-in Modules" for a list of plug-in modules provided for Certificate Management System. For example, you can use the plug-in module provided for setting validity periods on certificates to configure a policy rule that forces validity periods for all client certificates issued by a Certificate Manager to fall within a predetermined range, say between 6 and 24 months. A subsystem's policy configuration can consist of one or more policy rules, each performing one or more of the following operations:

Validate the request content by comparing it with configured criteria; reject, modify, or defer (for agent approval) the request if any of the request parameters are invalid.

Build certificate content--for example, set common extensions and the validity period.

Enforce organizational constraints, such as subject name, key algorithm, key size, and validity period.

Determine whether the private key should be archived.

Keep in mind that the server applies the rules when processing end-entity requests and after agent approval (for deferred requests).

Types of Policy Rules

Certificate Management System supports distinct policy rules for each of the operations that end entities perform--certificate enrollment, renewal, and revocation, and key archival and recovery. Consequently, there are five broad categories of policies, corresponding to these types of operations:

Enrollment policies

Renewal policies

Revocation policies

Key archival policies

Key recovery policies

To facilitate this classification, Certificate Management System supports a parent interface for a generic policy rule and other operation-specific interfaces that extend the parent interface. Check the SDK directory on the product CD. You can also download the CMS SDK from this site:

http://home.netscape.com/eng/server/cms

Using Predicates in Policy Rules

You can use predicates in a policy rule. A predicate indicates whether the rule that contains the predicate applies to a request. If you specify a predicate as part of the rule configuration, the policy rule applies that predicate based on request attributes to determine whether the rule is applicable for a request.

The policy predicate is an expression. You form the expression using standard variables that return strings, integers, or enumeration of strings/integers, and relational operators (AND or OR). For details, see "Expression Support for Predicates" and "Attributes for Predicates".

Expression Support for Predicates

You form an expression using an attribute, its value, and one or more of the operators listed in Table 15.1. For a list of attributes, see "Attributes for Predicates".

Table 15.1 Predicates in policy: supported comparison and logical operators


Operator	Description
==	Equal to
!=	Not equal to
AND	Logical operator AND
OR	Logical operator OR

The expression parsing support currently supports only two comparison operators (==, !=) and two relational operators (AND, OR).

Policy expressions are formed with the following rules:

PrimitiveExpression | AndExpression | OrExpression

PrimitiveExpression is equal to: Attribute op Value

where

Attribute can be a string

op can be any of these operators: == or !=

Value can be a string

AndExpression is equal to: Expression AND Expression

OrExpression is equal to: Expression OR Expression

In an expression, the AND operator takes precedence over an OR operator. For example, the expression

certType == client AND ou==Engineering OR certType == ca

is interpreted as

(certType == client AND ou==Engineering) OR certType == ca

Certificate Management System evaluates an expression based on the attributes in the request. The attributes are filled in by servlets from the HTTP input forms used for request submission. Some attributes, such as passwords typed in the form are not stored in the request. Other attributes regarding the end entity are set on the request after successful authentication. The servlets also interpret the form content, for example, retrieving the key material out of the KEYGEN or PKCS #10 information and setting the key in the certificate content. They can also set additional attributes related to the certificate content on the request. In general, you can configure which attributes--for example, sensitive attributes such as passwords--should or shouldn't be stored in the request.

The expression queries the request for the attributes, compares the value returned with the value provided in the predicate, and returns a boolean result.

The following are sample predicates:

certType == client AND ou == Engineering

certType == server AND o == Netscape OR certType == ca

Attributes for Predicates

Attributes for predicates can come from any of the following:

Input form--that is, the HTML form that end entities use for submitting certificate requests.

Authentication token--what the authentication subsystem returns after successfully authenticating an end entity.

A service--for example, a Certificate Manager, Registration Manager, or Data Recovery Manager service can add certain attributes to the end-entity request.

Policy processor--what the policy subsystem returns after subjecting the end-entity request to policy checking.

Table 15.2 lists default attributes that are supported by various request object implementations.

Table 15.2 Attributes supported by request object implementations


Request type	Variable name	Description	Object type
Default attributes from an input form:
Enrollment	certType	The certificate type. Possible values include the following: client (client certificates) server (server certificate) Cisco-router (router certificate) ra (Registration Manager's signing certificate) ca (Certificate Manager's CA signing certificate) other	String
Enrollment	requestFormat	The certificate request format. Possible values include the following: keygen pkcs10	String
Renewal	requestFormat	The certificate request format. Possible values include the following: clientAuth pkcs10	String
Default attributes from an authentication token: (Upon successful authentication these attributes go into an enrollment request)
Enrollment	authMgrImplName	The name of the authentication plug-in module that authenticated the request.	String
Enrollment	authMgrInstName	The name of the authentication instance that authenticated the request.	String

Policy Processor

Each subsystem--the Certificate Manager, Registration Manager, or Data Recovery Manager--has its own policy processor. Each processor subjects an incoming request to the applicable policy rules for that subsystem.

When a subsystem starts up, its policy processor reads the current policy configurations from the configuration file, initializes them, and classifies them based on their type (see "Types of Policy Rules"). Then, when the subsystem receives an authenticated request, its request processor invokes the policy processor to apply policies on that request. The policy processor applies the rules on the request based on the request type. The policy processor also filters the rules based on predicates (see "Using Predicates in Policy Rules").

Note that the policy processor applies only the enabled policy rules, in the order in which they are configured, before determining the final outcome. Each rule the processor executes returns a PolicyResult object. Three return values are possible:

PolicyResult.REJECTED (indicates that the request failed the rule)

PolicyResult.DEFERRED (indicates that the request requires agent approval)

PolicyResult.ACCEPTED (indicates that the request passed the rule)

After all the policy rules are applied, the processor determines the status of the request (in this order):

If the request failed any policy rule (that is, if any of the policy rules returned a PolicyResult.REJECTED value), the processor rejects the request. The rule that rejected the request sets appropriate error messages on the request.

If at least one of the policy rules requires agent approval for the request (that is, if any of the policy rules returned a PolicyResult.DEFERRED value), the processor stores the request in the request queue for agent approval.

If the request passes all the policy rules (that is, all policy rules returned a PolicyResult.ACCEPTED value), the request gets serviced--for example the certificate is issued or renewed.

Built-in Policy Plug-in Modules

Certificate Management System comes with various policy plug-in modules that help you govern its certificate generation and management operations.

The modules provided out of the box can be categorized into two groups:

Constraints-Specific Policy Plug-in Modules

Extension-Specific Policy Plug-in Modules

Note that Certificate Management System doesn't come with key archival and recovery policy modules.

Constraints-Specific Policy Plug-in Modules

Constraints-specific policy plug-in modules help you define rules or constraints that Certificate Management System must use to evaluate an incoming request. Table 15.3 lists the constraints-specific policy plug-in modules provided out of the box. You can use these modules, as applicable, for defining the required policy rules for your Certificate Manager or Registration Manager; no plug-ins are provided for the Data Recovery Manager.

Table 15.3 Constraints-specific policy plug-in modules provided out of the box


Plug-in module name	Description
DefaultRevocation	Use this to configure the server to revoke only those certificates that are currently valid; expired certificates cannot be revoked. For more information, see "Default Revocation Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
DSAKeyConstraints	Use this to configure the server to certify only those DSA keys that have specific key lengths. For more information, see "DSA Key Constraints Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
KeyAlgorithmConstraints	Use this to configure the server to certify only those keys that are generated using one of the permitted algorithms, such as RSA or DSA. For more information, see "Key Algorithm Constraints Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
RenewalValidityConstraints	Use this to configure the server to enforce the number of days before which a currently active certificate can be renewed and to set a new validity period for the renewed certificate. For more information, see "Renewal Validity Constraints Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
RSAKeyConstraints	Use this to configure the server to certify only those RSA keys that have specific key lengths. For more information, see "RSA Key Constraints Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
ValidityConstraints	Use this to configure the server to check whether the validity period of a certificate falls within a specific validity period. For more information, see "Validity Constraints Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.

Default Revocation Policy

The default revocation policy applies to end-entity certificate revocation. The policy enforces a rule that only currently valid certificates can be revoked; an expired certificate cannot be revoked. The policy also looks at the revocation reason specified in the revocation form and sets the appropriate CRLReason extension.

Plug-in for Default Revocation Policy

The plug-in module provided for the default revocation policy is identified as follows:

com.netscape.certsrv.policy.DefaultRevocation

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.DefaultRevocation.class=com.netscape .certsrv.policy.DefaultRevocation

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

DefaultRevocation

Configurable Parameters

Figure 15.1 shows how the configurable parameters pertaining to the DefaultRevocation policy plug-in implementation are displayed in the CMS window.

Figure 15.1 Parameters and values for the DefaultRevocation module

The configuration shown in Figure 15.1 enforces a rule that only valid client certificates can be revoked; expired certificates cannot be revoked.

Table 15.4 gives details about each of these parameters.

Table 15.4 Configurable parameters for the default revocation policy and their values
Parameter name
Description

enable

Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled.

Permissible values: Either of the following:
true
false

Object type: String

predicate

Specifies the predicate expression for this rule. If you want the rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests.

Example: certType==client

Permissible values: See "Using Predicates in Policy Rules".

Object type: String

DSA Key Constraints Policy

The DSA key constraints policy applies to end-entity certificate enrollment and renewal requests. The policy imposes constraints on the following:

The minimum and maximum sizes for keys

The exponent sizes

The policy restricts the key size to one of the sizes, such as 512, 1024, or 2048, supported by the Certificate Management System. In other words, this policy allows you to set up restrictions on the lengths of public keys certified by Certificate Management System. For example, you can configure a Certificate Manager to certify public keys up to 1024 bits in length for end users.

Plug-in for DSA Key Constraints Policy

The plug-in module provided for the DSA key constraints policy is identified as follows:

com.netscape.certsrv.policy.DSAKeyConstraints

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.DSAKeyConstraints.class=com.netscape .certsrv.policy.DSAKeyConstraints

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

DSAKeyConstraints

Configurable Parameters

Figure 15.2 shows how the configurable parameters pertaining to the DSAKeyConstraints policy plug-in implementation are displayed in the CMS window.

Figure 15.2 Parameters and values for the DSAKeyConstraints module

The configuration shown in Figure 15.2 restricts the minimum and maximum key sizes for all client certificates to 512 and 1024, respectively.

Table 15.5 gives details about each of these parameters.

Table 15.5 Configurable parameters for the DSA key constraints policy and their values


Parameter name	Description
minSize	Specifies the minimum length for the key (the length of the modulus in bits). Enter the length in bits. The value must be smaller than or equal to the one specified by the maxSize parameter. The default value is 512. In general, a longer key size results in a key pair that is more difficult to crack. You may want to enforce a minimum length to ensure a minimum level of security. Example: 512 Permissible values: Any of the following: 512 1024 2048 Object type: Integer
maxSize	Specifies the maximum length for the key. Enter the length in bits. The default value is 2048. The current export restrictions imposed by the United States limit the exported versions of Netscape software to supporting public keys no longer than 512 bits. To allow keys certified by your server to work with software across national borders, you may want to enforce a maximum length of 512 bits. Example: 1024 Permissible values: Any of the following: 512 1024 2048 Object type: Integer
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want the rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==client Permissible values: See "Using Predicates in Policy Rules". Object type: String

Key Algorithm Constraints Policy

The key algorithm constraints policy applies to end-entity certificate enrollment and renewal requests. The policy restricts the key algorithm requested to one of the algorithms, such as RSA or DSA, supported by Certificate Management System. In other words, this policy allows you to set restrictions on the types of public keys certified by Certificate Management System.

For example, you can configure a Certificate Manager to certify only those public keys that comply with the PKCS-1 RSA Encryption Standard.

Plug-in for Key Algorithm Constraints Policy

The plug-in module provided for the key algorithm constraints policy is identified as follows:

com.netscape.certsrv.policy.KeyAlgorithmConstraints

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.KeyAlgorithmConstraints.class=com.
netscape.certsrv.policy.KeyAlgorithmConstraints

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

KeyAlgorithmConstraints

Configurable Parameters

Figure 15.3 shows how the configurable parameters pertaining to the KeyAlgorithmConstraints policy plug-in implementation are displayed in the CMS window.

Figure 15.3 Parameters and values for the KeyAlgorithmConstraints module

The configuration shown in Figure 15.3 restricts the key algorithm of all client and server certificates to RSA.

Table 15.6 gives details about each of these parameters.

Table 15.6 Configurable parameters for the key algorithm constraints policy and their values


Parameter name	Description
algorithms	Specifies the key type the server should certify. The default is RSA. Example: RSA Permissible values: Either or both of the following; if entering both, separate them by a comma: RSA DSA Object type: String
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want the rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==client AND certType==server Permissible values: See "Using Predicates in Policy Rules". Object type: String

Renewal Validity Constraints Policy

The renewal validity constraints policy applies to end-entity certificate renewals. It governs the formulation of content in the renewed certificate based on the currently issued certificate. The policy enforces the following rules:

The number of days before expiration that a currently active certificate can be renewed.

The new validity period for the renewed certificate, starting from the end of the period in the old certificate.

The renewal process to which this policy is applied can be manual (request needs to be approved by an agent) or automated; for details, see "Certificate Renewal". In both cases, the currently issued certificate must be either presented during SSL client authentication by the end entity or selected by the agent approving the renewal request.

You should consider using this policy if you want to enforce the following:

The number of days before expiration that end entities can renew their currently active or valid certificates. For example, you may want to enforce a policy that prevents end entities from renewing their certificates any earlier than 15 days before expiration.

The validity period of the renewed certificate. For example, you may want to enforce a policy that sets the validity period of renewed certificates to a minimum of 180 days; the renewal period starts from the ending period in the certificate presented for renewal.

Plug-in for Renewal Validity Constraints Policy

The plug-in module provided for the renewal validity constraints policy is identified as follows:

com.netscape.certsrv.policy.RenewalValidityConstraints

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.RenewalValidityConstraints.class=com .netscape.certsrv.policy.RenewalValidityConstraints

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

RenewalValidityConstraints

Configurable Parameters

Figure 15.4 shows how the configurable parameters pertaining to the RenewalValityConstraints policy plug-in implementation are displayed in the CMS window.

Figure 15.4 Parameters and values for the RenewalValidityConstraints module

The configuration shown in Figure 15.4 enforces a rule that only those client certificates that are due to expire within the next 15 days can be renewed. The renewed certificates are valid for at least 60 days (two months) and require renewing after 180 days (six months).

Table 15.7 gives details about each of these parameters.

Table 15.7 Configurable parameters for the renewal validity constraints policy and their values
Parameter name
Description

minValidity

Specifies the minimum validity period, in days, for renewed certificates. The default value is 180 days.

Example: 60

Permissible values: As applicable

Object type: Integer

maxValidity

Specifies the maximum validity period, in days, for renewed certificates. The default value is 730 days.

Example: 180

Permissible values: As applicable

Object type: Integer

renewalInterval

Specifies how many days before its expiration that a certificate can be renewed. The default value is 15 days.

Example: 15

Permissible values: As applicable

Object type: Integer

enable

Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled.

Example: true

Permissible values: Either of the following:
true
false

Object type: String

predicate

Specifies the predicate expression for this rule. If you want the rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests.

Example: certType==client

Permissible values: See "Using Predicates in Policy Rules".

Object type: String

RSA Key Constraints Policy

The RSA key constraints policy applies to end-entity certificate enrollment and renewal requests. The policy imposes constraints on the following:

The minimum and maximum sizes for keys

The exponent sizes

The policy restricts the key size to one of the sizes, such as 512, 1024, or 2048, supported by Certificate Management System. In other words, this policy allows you to set restrictions on the length of public keys certified by the Certificate Management System.

For example, you can configure a Certificate Manager to certify public keys up to 1024 bits in length for end users.

Plug-in for RSA Key Constraints Policy

The plug-in module provided for the RSA key constraints policy is identified as follows:

com.netscape.certsrv.policy.RSAKeyConstraints

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.RSAKeyConstraints.class=com.netscape .certsrv.policy.RSAKeyConstraints

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

RSAKeyConstraints

Configurable Parameters

Figure 15.5 shows how the configurable parameters pertaining to the RSAKeyConstraints policy plug-in implementation are displayed in the CMS window.

Figure 15.5 Parameters and values for the RSAKeyConstraints module

The configuration shown in Figure 15.5 restricts the minimum and maximum key sizes for all client certificates to 512 and 1024, respectively.

Table 15.8 gives details about each of these parameters.

Table 15.8 Configurable parameters for the RSA key constraints policy and their values


Parameter name	Description
minSize	Specifies the minimum length for the key (the length of the modulus in bits). Enter the length in bits. The value must be smaller than or equal to the one specified by the maxSize parameter. The default value is 512. In general, a longer key size results in a key pair that is more difficult to crack. You may want to allow a minimum length to ensure a minimum level of security. Example: 512 Permissible values: Any of the following: 512 1024 2048 Object type: Integer
maxSize	Specifies the maximum length for the key. Enter the length in bits. The default value is 2048. The current export restrictions imposed by the United States limit the exported versions of Netscape software to supporting public keys no longer than 512 bits. To allow keys certified by your server to work with software across national borders, you may want to enforce a maximum length of 512 bits. Example: 1024 Permissible values: Any of the following: 512 1024 2048 Object type: Integer
exponents	Limits the possible public exponent values. Use commas to separate different values. Some exponents are more widely used than others. The following exponent values are recommended for arithmetic and security reasons: 17 and 65537. Of these two values, 65537 is preferred. (This setting is mainly an issue if you are using your own software for generating key pairs. Key-generation programs in Netscape clients and servers use 3 or 65537.) Example: 17, 65537 Permissible values: A combination of any of the following, separated by commas: 3 7 17 65537 Object type: Integer
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want the rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==client Permissible values: See "Using Predicates in Policy Rules". Object type: String

Validity Constraints Policy

The validity constraints policy applies to end-entity certificate enrollment requests. The policy enforces minimum and maximum validity periods for certificates and changes them if the policy is not met. Specifically, the policy imposes constraints on the following:

The duration of a certificate's validity period (based on supported minimum and maximum validity periods).

The lead and lag time for the beginning date and time (the notBefore and notAfter attributes in certificate requests) for the validity period; how far back into the front or back the notBefore date could go in minutes.

If this policy rule is enabled, the server applies the rule to the certificate request being processed, and then determines if the validity period in the request is acceptable. The rule checks two X.509 attributes of the certificate, the notBefore and notAfter time, which together indicate the total validity life of a certificate, to make sure that they conform to the configured ranges.

The rule checks that the value of the notBefore attribute in the request is not more than leadTime minutes in the future; the leadTime is a configurable parameter in the plug-in implementation. The ability to configure the value of the leadTime parameter in the policy rule allows you to prohibit end entities from requesting certificates whose validity starts too far in the future, and yet allows some amount of toleration of clock-skew problems. For example, if the current date and time is 01/15/1999 (mm/dd/YYYY) and 1:30 p.m., the value of the notBefore attribute is set to 3:00 p.m., and that the leadTime is 10 minutes, then the request would fail, because the validity requested begins more than 10 minutes in the future.

The rule also checks that the value of the notBefore attribute in the request is not more than lagTime minutes in the past. For example, if the current date and time is 01/15/1999 (mm/dd/yyyy) and 1:30 p.m., the value of the notBefore attribute is set to 1:15p.m., and the lagTime is set to 10 minutes, the request would fail because the user has requested a certificate 15 minutes in the past. Note that a request with notBefore set to 1:25 p.m. would have passed, however.

Note Currently, CRMF is the only enrollment format which allows an end entity to request a specific validity period.

It can be useful to restrict the length of the validity period for certificates issued by Certificate Management System. For example, if you want users to renew their certificates at least once a year, you can set the maximum validity period to one year. If you want to limit the frequency of certificate renewals to keep down administrative costs, you can set the minimum validity period to six months.

Plug-in for Validity Constraints Policy

The plug-in module provided for the validity constraints policy is identified as follows:

com.netscape.certsrv.policy.ValidityConstraints

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.ValidityConstraints.class=com.
netscape.certsrv.policy.ValidityConstraints

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

ValidityConstraints

Configurable Parameters

Figure 15.6 shows how configurable parameters pertaining to the ValidityConstraints policy plug-in implementation are displayed in the CMS window.

Figure 15.6 Parameters and values for the ValidityConstraints module

The configuration shown in Figure 15.6 enforces a rule that all client certificates requested by end entities in an organizational unit (OU) called Marketing are valid for at least 60 days (two months) and require renewing after 180 days (six months).

Table 15.9 gives details about each of these parameters.

Table 15.9 Configurable parameters for the validity constraints policy and their values


Parameter name	Description
minValidity	Specifies the minimum validity period, in days, for certificates. The default value is 180 days. Example: 60 Permissible values: An integer greater than zero and less than the value specified by the maxValidity parameter Object type: Integer
maxValidity	Specifies the maximum validity period, in days, for certificates. The default value is 730 days. Example: 180 Permissible values: An integer greater than zero and also greater than the value specified by the minValidity parameter Object type: Integer
leadTime	Specifies the lead time, in minutes, for certificates. For a certificate renewal request to pass the renewal validity constraints policy, the value of the notBefore attribute in the certificate request must not be more than value of the leadTime parameter in the future, relative to the time when the policy rule is run. The default value is 10 minutes. The notBefore attribute value specifies the date on which the certificate validity begins; validity dates through the year 2049 are encoded as UTCTime, dates in 2050 or later are encoded as GeneralizedTime. Example: 10 Permissible values: As applicable Object type: Integer
lagTime	Specifies the lag time, in minutes, for certificates. For a certificate renewal request to pass the renewal validity constraints policy, the value of the notBefore attribute in the certificate request must not be more than the value of the lagTime in the past, relative to the time when the policy is run. The default value is 10 minutes. The notBefore attribute value specifies the date on which the certificate validity ends; validity dates through the year 2049 are encoded as UTCTime, dates in 2050 or later are encoded as GeneralizedTime. Example: 10 Permissible values: As applicable Object type: Integer
beforeFix	Specifies the number of minutes to subtract from the current time when creating the value for the certificate's notBefore attribute. It can help some clients with incorrectly set clocks use the new certificate after downloading. For example, if the certificate is issued at 11:30 a.m. and the clock settings of the client into which the certificate is downloaded is 11:20 a.m., the certificate cannot be used for 10 minutes. Setting the value of the beforeFix parameter to 10 minutes would adjust the value of the notBefore parameter to 11:20 a.m.--thus making the certificate usable following the down load. Example: 5 Permissible values: As applicable Object type: Integer
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==client AND ou==Marketing Permissible values: See "Using Predicates in Policy Rules". Object type: String

Extension-Specific Policy Plug-in Modules

Since its initial publication, the X.509 standard for certificate formats has been amended to include additional information within a certificate. Version 3, the latest version, allows you to add additional information as certificate extensions. For example, Netscape applications (Netscape Navigator 3.0 or higher, and Enterprise Server 2.01 or higher) support an extension that specifies the type of certificate issued (such as client, server, or object signing).

Extension-specific policy plug-in modules help you configure Certificate Management System to set specific extensions on certificates it issues. When deciding whether to enable or disable any of the X.509 v3 certificate extensions, keep in mind that not all applications support X.509 v3 extensions. Among the applications that do support extensions, not all applications will recognize a given extension. For general guidelines on using extensions in certificates, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Table 15.10 lists extension-specific policy plug-in modules supported out of the box. You can use these modules to define the policy rules for your Certificate Manager and Registration Manager.

Table 15.10 Extension-specific policy plug-in modules provided out of the box


Plug-in module name	Description
AuthorityKeyIdentifierExt	Adds the Authority Key Identifier extension to a certificate depending on certificate type requested. For more information, see "Authority Key Identifier Extension Policy". Only the Certificate Manager provides this plug-in module.
BasicConstraintsExt	Adds the Basic Constraints extension to a certificate depending on certificate type requested. For more information, see "Basic Constraints Extension Policy". Only the Certificate Manager provides this plug-in module. You can add it to the Registration Manager's policy list.
CRLDistributionPointsExt	Adds the CRL Distribution Point extension to certificates. For more information, see "CRL Distribution Point Extension Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
KeyUsageExt	Adds the Key Usage extension to a certificate depending on certificate type requested. For more information, see "Key Usage Extension Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
NSCertTypeExt	Adds Netscape Certificate Type extensions to a certificate depending on certificate type requested. For more information, see "Netscape Certificate Type Extension Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
SubjectAltNameExt	Adds the Subject Alternate Name extension depending on certificate type requested. For more information, see "Subject Alternate Name Extension Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.
SubjectKeyIdentifierExt	Adds the Subject Key Identifier extension depending on certificate type requested. For more information, see "Subject Key Identifier Extension Policy". Both the Certificate Manager and Registration Manager provide this plug-in module.

Authority Key Identifier Extension Policy

The authority key identifier extension policy plug-in implementation is based on the Authority Key Identifier extension. This extension identifies the public key that corresponds to the private key used by a CA to sign certificates.

The key identifier set in the extension is the MD5 hash of the issuer's public key.

If enabled, this policy adds the authority key identifier extension to all certificates issued, unless the predicate specifies otherwise. You should consider using this extension for all CA certificates (root as well as subordinate) issued by Certificate Management System, especially when a Certificate Manager has multiple signing keys (either due to multiple concurrent key pairs or due to changeover).

For general guidelines on setting the authority key identifier extension, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Plug-in for Authority Key Identifier Extension Policy

The plug-in module provided for the authority key identifier extension policy is identified as follows:

com.netscape.certsrv.policy.AuthorityKeyIdExt

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.AuthorityKeyIdentifierExt.class=com. netscape.certsrv.policy.AuthorityKeyIdExt

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

AuthorityKeyIdentifierExt

Configurable Parameters

Figure 15.7 shows how the configurable parameters pertaining to the AuthKeyIDExt policy plug-in implementation are displayed in the CMS window.

Figure 15.7 Parameters and values for the AuthorityKeyIdentifierExt module

The configuration shown in Figure 15.7 enforces a rule that the authority key identifier extension must be set in all CA certificates.

Table 15.11 gives details about each of these parameters.

Table 15.11 Configurable parameters for the authority key identifier extension policy and their values


Parameter Name	Description
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==ca Permissible values: See "Using Predicates in Policy Rules". Object type: String

Basic Constraints Extension Policy

The basic constraints extension policy plug-in implementation is based on the Basic Constraints extension defined in X.509 and PKIX standard rfc 2459 (see http://www.ietf.org/rfc/rfc2459.txt). This extension identifies whether the Certificate Manager is a CA. In addition, the extension is also used during the certificate chain verification process to identify CA certificates and to apply certificate chain-path length constraints.

Note The current PKIX standard requires that this extension be marked critical and that it appear in all CA certificates. The standard also recommends that the extension should not appear in end-entity certificates.

If enabled, this policy adds the basic constraints extension to all certificates being issued, unless specified otherwise by the predicate expression. To add the extension to subordinate CA certificates only, you must configure the predicate expression to be certType==ca.

For general guidelines on setting the basic constraints extension, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Plug-in for Basic Constraints Extension Policy

The plug-in module provided for the basic constraints extension policy is identified as follows:

com.netscape.certsrv.policy.BasicConstraintsExt

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.BasicConstraintsExt.class=com.
netscape.certsrv.policy.BasicConstraintsExt

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

BasicConstraintsExt

Configurable Parameters

Figure 15.8 shows how the configurable parameters pertaining to the BasicConstraintsExt policy plug-in implementation are displayed in the CMS window.

Figure 15.8 Parameters and values for the BasicConstraintsExt module

The configuration shown in Figure 15.8 enforces a rule that the basic constraints extension must be set in all CA certificates.

Table 15.12 gives details about each of these parameters.

Table 15.12 Configurable parameters for the basic constraints extension policy and their values


Parameter name	Description
MaxPathLen	Specifies the path length. The value is the number of CA certificates that can be chained below (subordinate to) the subordinate CA certificate being issued. If this value is not set, it defaults to a value that is determined by the path length set on the issuer's certificate: it defaults to -1, if the issuer's path length is -1, or to one less than the issuer's path length, if the issuer's path length is greater than 0 (>0). Note that the path length you specify effects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain. (The parameter has no effect if the extension is set in end-entity certificates.) Example: 3 Permissible values: -1, 0, or n -1 specifies unlimited or any number of subordinate CA certificates are allowed below the subordinate CA certificate being issued. 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued. n must be a specific number that is greater than zero. It specifies at the most n subordinate CA certificates are allowed below the subordinate CA certificate being used. Object type: Integer
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==ca Permissible values: See "Using Predicates in Policy Rules". Object type: String

CRL Distribution Point Extension Policy

The CRL distribution point extension policy plug-in implementation is based on the CRL Distribution Point extension. If enabled, this policy inserts a CRLDistributionPoint extension into each certificate being issued, unless the predicate expression specifies otherwise. Essentially, the extension identifies one or more CRL distribution points or locations where the CRL for the certificate (that includes the extension) can be obtained. For information on configuring a Certificate Manager to publish CRLs to different distribution points, see "CRL Issuing Points".

Certificate Management System supports only two name forms for distribution points out of the box: X.500 Directory Name and URI. URIs described in this document support two CRL retrieval mechanisms: LDAP-based and HTTP-based.

Optionally, each distribution point may contain a set of reason flags, indicating what revocation reasons are covered by the CRL at that location. Also, the distribution point location can be relative to the location of the issuer. In this last case, the issuerName and issuerType parameters should be included to give the location of the issuer.

Note that you can configure the server to support any name form by changing the sample code provided for this purpose. You can find the code in a directory named SDK on the product CD. You can also download the samples from this site:

http://home.netscape.com/eng/server/cms

For general guidelines on setting the CRL distribution point extension in certificates, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Plug-in for CRL Distribution Point Extension Policy

The plug-in module provided for the CRL distribution point extension policy is identified as follows:

com.netscape.certsrv.policy.CRLDistributionPointsExt

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.CRLDistributionPointsExt.class=com.
netscape.certsrv.policy.CRLDistributionPointsExt

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

CRLDistributionPointsExt

Configurable Parameters

Table 15.13 gives details about each of the configurable parameters pertaining to the CRLDistributionPointsExt policy plug-in implementation.

Table 15.13 Configurable parameters for the CRL distribution point extension policy and their values


Parameter name	Description
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
critical	Specifies whether the extension should be marked critical. To mark the extension critical, enter true; to mark it noncritical, enter false. By default, it is marked noncritical; rfc 2459 specifies that the extension should not be marked critical (see http://www.ietf.org/rfc/rfc2459.txt). Example: false Permissible values: Either of the following: true false Object type: String
numPoints	Specifies the number of CRL distribution points to be contained or allowed in the extension. Note that each distribution point has its own configuration and you must specify the appropriate values for each of those parameters; otherwise the policy rule will return an error. Also note that the UI allows you to configure at the most two distribution points. However, there's no restriction on the total number of distribution points you can include in the extension, provided you update the CMS configuration file with the relevant information--that is, if you specify more than two distribution points, you must configure the remaining distribution points (of the total) by adding the corresponding parameters to the configuration file. For details, see "Adding Distribution Points to the Configuration File". Example: 2 Permissible values: Either of the following: 0 specifies that no distribution points can be contained in the extension. n specifies the number of distribution points to be included in the extension; it must be a number greater than zero. For example, if you enter 3, three distribution points can be contained in the extension. Object type: Integer
pointName<x>	Specifies the name of the CRL distribution point<x>, where x is an integer that is derived from the value of the numPoints parameter. For example, if you set the numPoints parameter to 3, x could be 0, 1, or 2. The name of the distribution point can be in any of the following formats: An X.500 Name in RFC1779 syntax, in which case the pointType attribute (shown below) must be DirectoryName. A URI, in which case the pointType attribute must be URI. An RDN which specifies a location relative to the CRL Issuer. In this case, the value of the pointType attribute must be RelativeToIssuer. By default, the name can be an X.500 Directory Name and a URI. (You can configure the server to use any name form using the sample code provided.) Example: If the name is a URI, it would look similar to this: http://ca.somecorp.com/get/your/crls/here/ If the name is an X.500 Directory Name, it would look similar to this: CN=CRLCentral,OU=Research Dept.,O=CertCorp,C=US Permissible values: Any supported name forms Object type: String
pointType<x>	Specifies the type (for example, URI) of the CRL distribution point<x>, where x is an integer derived from the value of the numPoints parameter. For example, if you set the numPoints parameter to 2, x could be either 0 or 1. The value you specify for this parameter must correspond to that of the pointName parameter. Example: URI Permissible values: By default, DirectoryName and URI. Object type: String
reasons<x>	Specifies the revocation reasons for the CRL maintained at distribution point<x>, where x is an integer derived from the value of the numPoints parameter. For example, if you set the numPoints parameter to 2, x could be either 0 or 1. Example: keyCompromise Permissible values: A comma-separated list of the following constants: unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold Object type: String
issuerName<x>	Specifies the name of the issuer that has signed the CRL maintained at distribution point<x>, where x is an integer derived from the value of the numPoints parameter. For example, if you set the numPoints parameter to 2, x could be either 0 or 1. The issuer name may be an X.500 Directory Name or a URI. If the name is an X.500 Directory Name, the value of the issuerType parameter (below) must be DirectoryName. If the name is a URI, the value of the issuerType parameter must be URI. Example: OU=Research Dept.,O=CertCorp,C=US Permissible values: Any valid name Object type: String
issuerType<x>	Specifies the type of the CRL issuer that has signed the CRL maintained at distribution point<x>, where x is an integer derived from the value of the numPoints parameter. For example, if you've set the numPoints parameter to 2, x could be either 0 or 1. Note that the value you specify for this parameter must map to the value of the corresponding issuerName<x> parameter. Example: DirectoryName Permissible values: DirectoryName and URI. Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==Cisco-router Permissible values: See "Using Predicates in Policy Rules". Object type: String

Adding Distribution Points to the Configuration File

If you configure the CRL distribution point policy to contain more than two distribution points, you should add the configuration parameters pertaining to the remaining distribution points to the configuration file. The parameters you're required to add include the following:

<subsystem>.Policy.rule.CRLDistributionPoints.pointName<x>

<subsystem>.Policy.rule.CRLDistributionPoints.pointType<x>

<subsystem>.Policy.rule.CRLDistributionPoints.reasons<x>

<subsystem>.Policy.rule.CRLDistributionPoints.issuerName<x>

<subsystem>.Policy.rule.CRLDistributionPoints.issuerType<x>

where, <subsystem> must be the prefix designated to the CMS subsystems--it is ca for the Certificate Manager and ra for the Registration Manager--to which the rule belongs.

To add CRL distribution point-specific parameters to the server's configuration:

Stop the CMS instance; see "Stopping Certificate Management System".

Open the configuration file in a text editor; to locate the file, see "Locating the Configuration File".

Add the configuration parameters to the file; see the configuration sample at the end of this procedure.

Save your changes, and close the configuration file.

Start the CMS instance; see "Starting Certificate Management System".

The sample parameters shown below indicate how to create a CRL distribution point extension policy rule for a Certificate Manager. In the sample, note the following:

The first distribution point (point 0) has no reason flags or issuer name.

The second distribution point (point 1) has a directory (distinguished) name.

The third distribution point (point 2) name is relative to the location of the CRL issuer, which is also given as a directory name.

The second and third distribution points are differentiated by their reasons.

ca.Policy.rule.CRLDistributionPoints.numPoints=3

ca.Policy.rule.CRLDistributionPoints.pointName0=

	http://ca.somecorp.com/get/your/crls/here/

ca.Policy.rule.CRLDistributionPoints.pointType0=URI

ca.Policy.rule.CRLDistributionPoints.pointName1=

	CN=CRLCentral,OU=Research Dept.,O=CertCorp,C=US

ca.Policy.rule.CRLDistributionPoints.pointType1=DirectoryName

ca.Policy.rule.CRLDistributionPoints.reasons1=

	keyCompromise,cACompromise

ca.Policy.rule.CRLDistributionPoints.pointName2=CN=SubCN

ca.Policy.rule.CRLDistributionPoints.pointType2=

	RelativeToIssuer

ca.Policy.rule.CRLDistributionPoints.reasons2=

	superseded,cessationOfOperation

ca.Policy.rule.CRLDistributionPoints.issuerName2=

	OU=Research Dept.,O=CertCorp,C=US

ca.Policy.rule.CRLDistributionPoints.issuerType2=DirectoryName

Key Usage Extension Policy

The key usage extension policy plug-in implementation is based on the Key Usage extension. This extension specifies for what purposes the key contained in the certificate should be used: whether the key should be used for data signing, key encipherment, or data encipherment. You can use this extension to restrict the usage of a key pair (or certificate). For example, you can restrict a certificate to be used for digital signature only.

If enabled, the policy adds the key usage extension to all certificates being issued, unless the predicate expression specifies otherwise. The bits set in the key usage extension are formed from the following HTTP input variables:

digital_signature (bit 0)

non_repudiation (bit 1)

key_encipherment (bit 2)

data_encipherment (bit 3)

key_agreement (bit 4)

key_certsign (bit 5)

crl_sign (bit 6)

encipher_only (bit 7)

decipher_only (bit 8)

The input variables are embedded as hidden values in the default enrollment forms--the directory-based enrollment form (DirUserEnroll.html), directory- and PIN-based enrollment form (DirPinUserEnroll.html), and manual enrollment form (ManUserEnroll.html). For details about these forms, see "Forms for Certificate Enrollment".

Figure 15.9 shows the default directory-based enrollment form for end users with the information related to the key usage extension variables highlighted--it shows three of the total number of variables listed above, digital_signature, non_repudiation, and key_encipherment, indicating that these bits be set in certificates requested using this form.

Figure 15.9 Key usage extension-specific variables in enrollment forms

Note that by default only a few variables are included in the form and all their values are set to true. You should make the appropriate modifications to suit your requirements. When adding new variables, the HTML input format must be as follows:

where, variable_name can be any of the HTTP input variables mentioned above.

For general guidelines on setting the key usage extension, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Plug-in for Key Usage Extension Policy

The plug-in module provided for the key usage extension policy is identified as follows:

com.netscape.certsrv.policy.KeyUsageExt

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.KeyUsageExt.class=com.netscape.
certsrv.policy.KeyUsageExt

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

KeyUsageExt

Configurable Parameters

Figure 15.10 shows how the configurable parameters pertaining to the KeyUsageExt policy plug-in implementation are displayed in the CMS window.

Figure 15.10 Parameters and values for the KeyUsageExt module

The configuration shown in Figure 15.10 enforces a rule that the key usage extension must be set in all certificates.

Table 15.14 gives details about each of these parameters.

Table 15.14 Configurable parameters for the key usage extension policy and their values


Parameter name	Description
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. If you enable the rule, the server checks for the key usage extension bits specified by those HTTP input variables whose values are set to true (see Figure 15.9), and sets them in the certificate being issued. If the values of all the input variables are set to false or if the variables are not embedded in the form, the server still sets the digital_signature, non_repudiation, and key_encipherment bits. If you disable the rule, the server ignores the key usage extension-specific input variables, irrespective of whether their values are set to true or false. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==client AND certType==server AND certType==ca Permissible values: See "Using Predicates in Policy Rules". Object type: String

Netscape Certificate Type Extension Policy

The Netscape certificate type extension policy plug-in implementation is based on the Netscape Certificate Type extension. You can use this policy to limit the applications for a certificate. In other words, the extension identifies the type of certificate; for example, it identifies whether the certificate is a CA certificate, server SSL certificate, client SSL certificate, object signing certificate, or S/MIME certificate.

If the extension exists in a certificate, it limits the uses of the certificate to those specified.

If the extension is not present, the certificate can be used for all applications except object signing.

This extension has no default value.

If enabled, the policy adds the Netscape certificate type extension to all certificates it issues, unless the predicate expression specifies otherwise. The bits set in the extension are formed from the following HTTP input variables:

ssl_client (bit 0)

ssl_server (bit 1)

email (bit 2)

object_signing (bit 3)

Reserved for future use (bit 4)

ssl_ca (bit 5)

email_ca (bit 6)

object_signing_ca (bit 7)

The input variables are embedded as hidden values in the default enrollment forms--the directory-based, directory- and PIN-based, and manual enrollment forms. For details about these forms, see "Forms for Certificate Enrollment".

Figure 15.11 shows the default directory-based enrollment form for end users with the information related to the Netscape certificate type extension variables highlighted--it shows two of the total number of variables listed above, ssl_client and email, indicating that these bits be set in certificates requested using this form.

Figure 15.11 Netscape certificate type extension-specific variables in enrollment forms

Note that the default enrollment forms embed variables that are considered appropriate for the type of certificate, such as client, server, or CA, that can be requested using the form. For example, the server enrollment form embeds the ssl_server variable, whereas the subordinate CA (Certificate Manager) enrollment form embeds the ssl_client, email_ca, ssl_ca and object_signing_ca variables.

In general, the forms are set up so that you don't have to make any modifications. However, if there is a need to modify make sure that the HTML input format is as follows:

where variable_name can be any of the variables listed above.

For general guidelines on setting Netscape certificate type extension, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Plug-in for Netscape Certificate Type Extension Policy

The plug-in module provided for the Netscape certificate type extension policy is identified as follows:

com.netscape.certsrv.policy.NSCertTypeExt

In the configuration file, the implementation for this module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.NSCertTypeExt.class=com.netscape.
certsrv.policy.NSCertTypeExt

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

NSCertTypeExt

Configurable Parameters

Figure 15.12 shows how the configurable parameters pertaining to the NSCertTypeExt policy plug-in implementation are displayed in the CMS window.

Figure 15.12 Parameters and values for the NSCertTypeExt module

The configuration shown in Figure 15.12 enforces a rule that the Netscape certificate type extension must be set in all certificates.

Table 15.15 gives details about each of these parameters.

Table 15.15 Configurable parameters for the Netscape certificate type extension policy and their values


Parameter name	Description
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==client AND certType==server AND certType==ca Permissible values: See "Using Predicates in Policy Rules". Object type: String

Subject Alternate Name Extension Policy

The SubjectAltNameExt policy plug-in implementation is based on the Subject Alternate Name extension. If enabled, this policy checks the certificate request for a mail attribute, and if it is present, adds the subject alternate name extension to the certificate being issued. Both the built-in directory-based authentication modules can obtain a mail attribute from the authentication directory and set that attribute in the certificate request. For more information on the mail attribute, see the description for the ldapAttributes parameter in Table 9.1 and Table 9.2.

For general guidelines on setting the subject alternate name extension, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Plug-in for Subject Alternate Name Extension Policy

The plug-in provided for the subject alternate name extension policy is identified as follows:

com.netscape.certsrv.policy.SubjectAltNameExt

In the configuration file, CMS.cfg, the implementation for this policy plug-in module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.SubjectAltNameExt.class=com.netscape .certsrv.policy.SubjectAltNameExt

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this policy plug-in module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

SubjectAltNameExt

Configurable Parameters

Table 15.16 provides details for the configurable parameters pertaining to the SubjectAltNameExt policy plug-in implementation.

Table 15.16 Configurable parameters for the subject alternate name extension policy and their values


Parameter name	Description
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==client Permissible values: See "Using Predicates in Policy Rules". Object type: String

Subject Key Identifier Extension Policy

The SubjectKeyIDExt policy plug-in implementation is based on the Subject Key Identifier extension. This extension provides a means of identifying certificates that contain a particular public key. In other words, this extension is used to uniquely identify a certificate from among several that have the same subject name.

The key identifier set in the extension is the MD5 hash of the subject's public key information.

If enabled, this policy adds the subject key identifier extension to all certificates being issued, unless the predicate specifies otherwise. To facilitate chain building, this extension must appear in all conforming subordinate CA certificates (subordinate Certificate Managers' CA signing certificates).

Therefore, the predicate expression is set to certType==ca by default--so that the extension is added to only subordinate CA certificates. However, you may modify the predicate expression to add this extension to other or all certificates.

If added to end-entity certificates, the subject key identifier extension provides a means for identifying certificates containing the particular public key used in an application. If an end entity has multiple certificates, especially from multiple CAs, the subject key identifier provides a means to quickly identify the set of certificates containing a particular public key. If you want to assist applications in identifying the appropriate end-entity certificate, you should modify the predicate expression to add this extension to all end-entity certificates.

For general guidelines on setting the subject key identifier extension, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Plug-in for Subject Key Identifier Extension Policy

The plug-in provided for the subject key identifier extension policy is identified as follows:

com.netscape.certsrv.policy.SubjectKeyIdExt

In the configuration file, CMS.cfg, the implementation for this policy plug-in module is identified as follows; you can find it in the Policy section:

<subsystem>.Policy.impl.SubjectKeyIdentifierExt.class=com.
netscape.certsrv.policy.SubjectKeyIdExt

where <subsystem> indicates ca or ra (prefix identifying the subsystem)

In the CMS window, the implementation for this policy plug-in module is identified as follows; you can find it in the Policy Plugin Registration tab of the corresponding subsystem:

SubjectKeyIdentifierExt

Configurable Parameters

Figure 15.13 shows how the configurable parameters pertaining to the SubjectKeyIDExt policy plug-in implementation are displayed in the CMS window.

Figure 15.13 SubjectKeyIDExt plug-in module: configurable parameters

The configuration shown in Figure 15.13 enforces a rule that the subject key identifier extension must be set in all CA certificates.

Table 15.17 provides details for each of these parameters.

Table 15.17 Description of configuration parameters in the subject key identifier extension plug-in module


Parameter name	Description
enable	Specifies whether the rule is enabled or disabled. To enable the rule, enter true; to disable the rule, enter false. By default, the rule is enabled. Example: true Permissible values: Either of the following: true false Object type: String
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. By default, the rule is applied to all certificate requests. Example: certType==ca Permissible values: See "Using Predicates in Policy Rules". Object type: String