SubjectKeyIdentifierExt Plug-in Module
Chapter
4
Certificate Extension Plug-in Modules
245
SubjectKeyIdentifierExt Rule
The policy rule named
SubjectKeyIdentifierExt
is an instance of the
SubjectKeyIdentifierExt
module. Certificate Management System
automatically creates this rule during installation. By default, the rule is configured
as follows:
•
The rule is enabled.
•
The predicate expression is set (
predicate=HTTP_PARAMS.certType==ca
) so
that the extension gets added to CA certificates only. (PKIX and Federal PKI
standards recommend that CA certificates must have this extension and
end-entity certificates should have this extension.)
•
The key identifier is a 20 byte (160 bit) SHA-1 hash of the BIT STRING of
Subject Public Key (
KeyIdentifierType=SHA1
).
predicate
Specifies the predicate expression for this rule. If you want this rule to be applied
to all certificate requests, leave the field blank (default). To form a predicate
expression, see section “Using Predicates in Policy Rules” in Chapter 18, “Setting
Up Policies” of CMS Installation and Setup Guide.
Example:
HTTP_PARAMS.certType==ca
critical
Specifies whether the extension should be marked critical or noncritical in
certificates specified by the
predicate
parameter. Check the box if you want
the server to mark the extension critical. Uncheck the box if you want the server
to mark the extension noncritical (default).
KeyIdentifierType
Specifies the method for deriving Key Identifier.
Permissible values:
SHA1
,
TypeField
, or
SpkiSHA1
.
•
SHA1
specifies that the key identifier must be derived as a 20 byte (160 bit)
SHA-1 hash of the BIT STRING of Subject Public Key (default).
•
TypeField
specifies that the key identifier must be derived as a type field
value of 0100 followed by 60 least significant bits of the SHA-1 hash of the
Subject Public Key.
•
SpkiSHA1
specifies that the key identifier must be derived as a 20 byte (160
bit) SHA-1 hash of the Subject Public Key Info.
Example:
SHA1
Table 4-28
Description of configuration parameters defined in the SubjectKeyIdentifierExt module
Parameter
Description
Summary of Contents for Certificate Management System 6.0
Page 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...
Page 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...