ValidityConstraints Plug-in Module
120
Netscape Certificate Management System Plug-Ins Guide • March 2002
UniqueSubjectNameConstraints Rule
The rule named
UniqueSubjectNameConstraints
is an instance of the
UniqueSubjectNameConstraints
module. Certificate Management System
automatically creates this rule during installation. By default, the rule is configured
as follows:
•
The rule is disabled; for the rule to be effective, it must be enabled and
configured appropriately.
•
The certificate requests are checked for subject name uniqueness after agents
process the requests for approval—if you’re using manual enrollment and
deferred requests.
•
The certificate requests are checked for Key Usage extension.
•
The predicate expression is left blank so that the rule is applied to all certificate
enrollment and renewal requests processed by the server.
For details on individual parameters defined in the rule, see Table 3-12 on
page 118. You need to review this rule and make the changes appropriate for your
PKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules” in
Chapter 18, “Setting Up Policies” of CMS Installation and Setup Guide. For
instructions on adding additional instances, see section “Step 4. Add New Policy
Rules” in the same chapter.
ValidityConstraints Plug-in Module
The
ValidityConstraints
plug-in module implements the validity constraints
policy. This policy enforces minimum and maximum validity periods for
certificates and changes them if the policy is not met. Specifically, the policy
imposes constraints on the following:
•
The duration of a certificate’s validity period (based on supported minimum
and maximum validity periods).
•
The lead and lag time for the beginning date and time (the
notBefore
and
notAfter
attributes in certificate requests) for the validity period; how far back
into the front or back the
notBefore
date could go in minutes.
If this policy rule is enabled, the server applies the rule to the certificate request
being processed, and then determines if the validity period in the request is
acceptable. The rule checks two X.509 attributes of the certificate, the
notBefore
and
notAfter
time, which together indicate the total validity life of a certificate, to
make sure that they conform to the configured ranges.
Summary of Contents for Certificate Management System 6.0
Page 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...
Page 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...