OCSPNoCheckExt Plug-in Module
Chapter
4
Certificate Extension Plug-in Modules
217
NSCertTypeExt Rule
The policy rule named
NSCertTypeExt
is an instance of the
NSCertTypeExt
module. Certificate Management System automatically creates this rule during
installation. By default, the rule is configured as follows:
•
The rule is enabled.
•
The predicate expression is set so that the extension gets added to all
certificates except the ones issued to routers
(
predicate=HTTP_PARAMS.certType!=CEP-Request
).
•
The server sets the default bits if the bits are unspecified in the enrollment
form.
For details on individual parameters defined in the rule, see Table 4-20 on
page 216. You need to review this rule and make the changes appropriate for your
PKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules” in
Chapter 18, “Setting Up Policies” of CMS Installation and Setup Guide. For
instructions on adding additional instances, see section “Step 4. Add New Policy
Rules” in the same chapter.
OCSPNoCheckExt Plug-in Module
The
OCSPNoCheckExt
plug-in module implements the OCSP no check extension
policy. This policy enables you to configure Certificate Management System to add
the OCSP No Check Extension defined in X.509 and PKIX standard RFC 2560 (see
http://www.ietf.org/rfc/rfc2560.txt
) to certificates. The extension, which
should be used in OCSP responder certificates only, indicates how
OCSP-compliant applications can verify the revocation status of the certificate an
authorized OCSP responder uses to sign OCSP responses.
The online certificate status protocol (OCSP) enables OCSP-compliant applications
to determine the revocation status of a certificate being validated. Certificate
Management System supports the OCSP service—you can configure a Certificate
Manager to publish CRLs to an online validation authority, also called OCSP
responder (see Chapter 21, “Setting Up an OCSP Responder” of CMS Installation
and Setup Guide). If you configure Certificate Management System to work with an
OCSP responder, OCSP-compliant applications in your PKI setup will be able to do
real-time verification of certificates by querying the OCSP responder for their
revocation status. Note that these applications will be able to query the OCSP
Summary of Contents for Certificate Management System 6.0
Page 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...
Page 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...