Netscape Certificate Management System Administrator's Guide: Extension-Specific Policy Modules

Certificate:

	Data:

		Version: v3 (0x2)

...

Extensions:

	Identifier: Certificate Type

		Critical: no

		Certified Usage:

			SSL CA

	Identifier: Subject Key Identifier

		Critical: no

		Value:

		2c:22:c6:ae:4e:4b:91:c7:fb:4c:cc:ae:84:e8:aa:5b:46:6a:a0:ad

	Identifier: Authority Key Identifier

		Critical: no

		Key Identifier:

		2c:22:c6:ae:4e:4b:91:c7:fb:4c:cc:ae:84:e8:aa:5b:46:6a:a0:ad

Object Identifier

An object identifier (OID) is a string of numbers identifying a unique object, for example, a certificate extension or a company's certificate practice statement. For general information on OIDs, see the information at this URL:

http://www.alvestrand.no/objectid/

OIDs are controlled by the International Standards Organization (ISO) registration authority. In some cases, this authority is delegated by ISO to regional registration authorities. For example, in the United States, the American National Standards Institute (ANSI) manages this registration.

Registration of Object Identifiers

To promote interoperatability, the PKIX standard recommends that all objects (such as extensions and policy statements) that appear in certificates that will be used in networks shared by other organizations should be included in the form of OIDs. If you plan to issue certificates that will be used in such networks, you should register your object identifier prefixes with the appropriate registration authority. For example, assume you want to add a custom extension that points to a certificate practice statement (CPS) of your company. To implement this, you need to compose the policy statement you want to include in the extension, define an OID for the policy statement, and configure Certificate Management System with the OID so that it can add that to the certificate it issues.

The use of an OID registered to another organization or the failure to register an OID may carry legal consequences, depending on context. Registration may be subject to fees. For more information, you should contact the appropriate registration authority.

To define or assign OIDs for your objects, you must know your company's arc, which is an OID for a private enterprise. If your company doesn't have an arc, it needs to get one. This URL contains information on registering for a company arc:

http://www.isi.edu/cgi-bin/iana/enterprise.pl

To understand why you need to have a company arc, check the information at this site:

http://www.alvestrand.no/objectid/2.16.840.1.113730.1.13.html

The site contains information on Netscape-defined OID for an extension named Netscape Certificate Comment. Note that the OID assigned to this extension is hierarchical and it includes the Netscape company arc, which is 2.16.840.1.113730. Every OID Netscape owns has this prefix.

When determining whether to add custom extension to certificates, keep in mind that if the extension exists in a certificate and if it is marked critical, the application validating the certificate must be able to interpret the extension (including the optional qualifiers, if any), or else it must reject the certificate. Since it's unlikely that all applications will be able to interpret your company's extensions (embedded in the form of OIDs), the PKIX standard recommends that the extension be always marked noncritical. For general guidelines on setting extensions in certificates, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Overview of Extension-Specific Policy Modules

To enable you to add standard and private extensions to end-entity certificates, Certificate Management System provides a set of policy plug-in modules; each module enables you to add a particular extension to a certificate request. Plug-in modules are implemented as Java classes and are registered in the CMS policy framework. The Policy Plugin Registration tab of the CMS window (Figure 18.1) lists all the modules that are registered with a CMS instance.

When deciding whether to add any of the X.509 v3 certificate extensions, keep in mind that not all applications support X.509 v3 extensions. Among the applications that do support extensions, not all applications will recognize every extension. For general guidelines on using extensions in certificates, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 18.1 Extension policy modules registered with a Certificate Manager

Table 18.1 lists extension-specific policy modules that are installed with a Certificate Manager. A Registration Manager installation also includes all the modules, expect for the ones noted below:

AuthorityKeyIdentifierExt

BasicConstraintsExt

NameConstraintsExt

PolicyConstraintsExt

PolicyMappingsExt

You can use these modules to configure a Certificate Manager and Registration Manager to add extensions to certificates. Both subsystems add extensions to a certificate request when it undergoes policy processing (see "Policy Processor"). Keep in mind that the changes made to a request by a Registration Manager may be overwritten by a Certificate Manager when it subjects the request to its own policy checks.

Table 18.1 Default extension-specific policy plug-in modules


Plug-in module	Function
AuthInfoAccessExt	Adds the Authority Information Access extension to certificates. For details, see "Authority Information Access Extension Policy".
AuthorityKeyIdentifierExt	Adds the Authority Key Identifier extension to certificates. For details, see "Authority Key Identifier Extension Policy".
BasicConstraintsExt	Adds the Basic Constraints extension to certificates. For details, see "Basic Constraints Extension Policy".
CertificatePoliciesExt	Adds the Certificate Policies extension to certificates. For details, see "Certificate Policies Extension Policy".
CertificateRenewalWindowExt	Adds the Certificate Renewal Window extension to certificates. For details, see "Certificate Renewal Window Extension Policy".
CertificateScopeOfUseExt	Adds the Certificate Scope of Use extension to certificates. For details, see "Certificate Scope of Use Extension Policy".
CRLDistributionPointsExt	Adds the CRL Distribution Points extension to certificates. For details, see "CRL Distribution Points Extension Policy".
ExtendedKeyUsageExt	Adds the Extended Key Usage extension to certificates. For details, see "Extended Key Usage Extension Policy".
GenericASN1Ext	Adds ASN.1 type custom extension to certificates. For details, see "Generic ASN.1 Extension Policy".
IssuerAltNameExt	Adds the Issuer Alternative Name extension to certificates. For details, see "Issuer Alternative Name Extension Policy".
KeyUsageExt	Adds the Key Usage extension to certificates. For details, see "Key Usage Extension Policy".
NameConstraintsExt	Adds the Name Constraints extension to certificates. For details, see "Name Constraints Extension Policy".
NSCCommentExt	Adds the Netscape Certificate Comment extension to certificates. For details, see "Netscape Certificate Comment Extension Policy".
NSCertTypeExt	Adds the Netscape Certificate Type extension to certificates. For details, see "Netscape Certificate Type Extension Policy".
OCSPNoCheckExt	Adds the OCSP No Check extension to certificates. For details, see "OCSP No Check Extension Policy".
PolicyConstraintsExt	Adds the Policy Constraints extension to certificates. For details, see "Policy Constraints Extension Policy".
PolicyMappingsExt	Adds the Policy Mappings extension to certificates. For details, see "Policy Mappings Extension Policy".
PrivateKeyUsagePeriodExt	Adds the Private Key Usage Period extension to certificates. For details, see "Private Key Usage Period Extension Policy".
SubjectAltNameExt	Adds the Subject Alternative Name extension to certificates. For details, see "Subject Alternative Name Extension Policy".
SubjectDirectoryAttributesExt	Adds a Subject Directory Attributes extension to certificates. For details, see "Subject Directory Attributes Extension Policy".
SubjectKeyIdentifierExt	Adds the Subject Key Identifier extension to certificates. For details, see "Subject Key Identifier Extension Policy".

As indicated in Table 18.1, Certificate Management System enables you to add almost all of the extensions defined in the PKIX standard RFC 2459 (http://www.ietf.org/rfc/rfc2459.txt). All modules have three features in common, enabling you to specify these:

Whether to add the extension to certificates.

The certificates to which the extension is to be added.

Whether to mark the extension critical or noncritical.

Additionally, the server also provides a module for adding any custom, ASN.1 type extensions. If you determine that the default policy modules do not meet your requirements entirely, you can develop a custom module using CMS SDK. It is available in the form of Java Docs at this location:

<server_root>/cms_sdk/sdkdocs

For general guidelines on developing custom policy modules and adding them to the CMS policy framework, take a look at the samples installed at these locations:

<server_root>/cms_sdk/samples/policy and
<server_root>/cms_sdk/samples/exttools

For instructions to configure a Certificate Manager and Registration Manager to use one or more of the policy modules, see "Configuring a Subsystem's Policies".

Authority Information Access Extension Policy

The AuthInfoAccessExt plug-in module implements the authority information access extension policy. This policy enables you to configure Certificate Management System to add the Authority Information Access Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) to certificates. The extension specifies how the application validating the certificate can access information, such as on-line validation services and CA policy statements, about the CA that has issued the certificate in which the extension appears. Note that this extension should not be used to point directly to the CRL location maintained by the CA; the CRL Distribution Points extension explained in "CRL Distribution Points Extension Policy" allows you to reference to CRL locations.

The PKIX standard recommends that you may include the authority information access extension in end-entity and CA certificates and that the extension be marked noncritical. For general guidelines on setting the authority information access extension, see "authorityInfoAccess" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

The authority information access extension policy in Certificate Management System allows you to set the authority information access extension as defined in its X.509 definition. The policy enables you to specify any number of access points for CA information. For each access point, you can specify the access method, actual location that contains the additional information about the CA, and the mechanism for retrieving the information. The location can be specified in any of the following general-name forms: an rfc822name, a directory name, a DNS name, an EDI party name, a uniform resource indicator (URI), an IP address, an object identifier (OID), and any other name.

By default, the policy supports two access methods:

caIssuers (this method is also identified by its OID, 1.3.6.1.5.5.7.48.2).

As specified in the PKIX standard, you should use the caIssuers method when the additional information is a list of parent CAs or CAs that have issued certificates superior to the CA that issued the certificate containing the extension. The certificate-using application may use the list of parent CAs referenced by the extension to determine the certification path and to check whether the path terminates at a point trusted by the certificate user.

When you use the caIssuers method, the access location referenced in the extension must take any of the following general-name forms:

Uniform resource identifier (URI) if the information is available via HTTP, FTP, or LDAP.

An X.500 directory name if the information is available via the directory access protocol (DAP).

An rfc822Name if the information is available via electronic mail.

ocsp (this method is also identified by its OID, 1.3.6.1.5.5.7.48.1).

The ocsp method indicates to the certificate-using client that it must use the OCSP protocol to access the location that contains additional information about the CA that has issued the certificate. You should use the ocsp method when you want to reference to the online validation authority that maintains the revocation status of certificates issued by the CA.

When you use the ocsp method, the access location referenced in the extension must be a uniform resource indicator (URI); this means, the location type must be URL and the location value must be the complete URL (including the port number) at which the online validation authority for the CA is listening for OCSP requests from OCSP-compliant clients.

The built-in support for the ocsp access method and a URI value for the access location in the extension conform to the profile defined in RFC 2560 (see http://www.ietf.org/rfc/rfc2560.txt) for CAs that support the OCSP service. For details about OCSP support in Certificate Management System, see "Supported Methods for Verifying Revocation Status of Certificates".

If you configure a Certificate Manager to publish CRLs to an OCSP responder and want to include the authority information access extension referencing to the responder, you should configure an instance of this policy as follows: access method is set to ocsp, name type is set to URI, and name value is set to the URL at which the OCSP responder listens to OCSP requests. This way, OCSP-compliant applications can verify the revocation status of certificates issued by the Certificate Manager by accessing the validation authority using the OCSP method.

Unlike some of the other policy modules, Certificate Management System does not create an instance of the AuthInfoAccessExt module during installation. If you want the server to add this extension to certificates, you must create an instance of the said module and configure it. For instructions, see "Step 4. Add New Policy Rules").

AuthInfoAccessExt Module

The Java class that implements the authority information access extension policy is as follows:

com.netscape.certsrv.policy.AuthInfoAccessExt

In the CMS configuration file, the module is identified as follows: <subsystem>.Policy.impl.AuthInfoAccessExt.class=com.
netscape.certsrv.policy.AuthInfoAccessExt

where <subsystem> is ca or ra (prefix identifying the subsystem)

In the CMS window, the module is identified as follows: AuthInfoAccessExt

Figure 18.2 shows how the configurable parameters for the AuthInfoAccessExt module are displayed in the CMS window.

Figure 18.2 Parameters defined in the AuthInfoAccessExt module

The configuration shown in Figure 18.2 creates a policy rule named AuthInfoAccessExtForClientCert, which enforces a rule that the server should add the authority information access extension to client certificates. The extension indicates that the online validation service (or the OSCSP responder) for the CA that has issued these certificates is at this URL:

http://ocspResponder.siroe.com:8000

The extension is marked noncritical (to comply with the PKIX recommendation).

Table 18.2 gives details about the configurable parameters defined in the AuthInfoAccessExt module.

Table 18.2 Description of parameters defined in the AuthInfoAccessExt module


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule (default). Uncheck the box to disable the rule. If you enable the rule and set the remaining parameters correctly, the server adds the authority information access extension to certificates specified by the predicate parameter. If you disable the rule, the server does not add the extension to certificates; it ignores the values in the remaining fields.
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank (default). To form a predicate expression, see "Using Predicates in Policy Rules". Example: HTTP_PARAMS.certType==client
critical	Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate parameter. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).
numADs	Specifies the total number of access locations to be contained or allowed in the extension. By default, this field is set to 3 and the UI shows fields for configuring three locations. You can change the total number of locations by changing the value assigned to this parameter; there's no restriction on the total number of locations you can include in the extension. Note that each location has its own set of configuration parameters and you must specify appropriate values for each of those parameters; otherwise the policy rule will return an error. Each set of configuration parameters is distinguished by <n>, which is an integer derived from the value you assign in this field. For example, if you set the numADs parameter to 2, <n> would be 0 and 1. Permissible values: 0 or n. 0 specifies that no locations can be contained in the extension. n specifies the total number of locations to be included in the extension; it must be an integer greater than zero. The default value is 3. Example: 2
ad<n>_method	Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. Permissible values: ocsp (or 1.3.6.1.5.5.7.48.1). caIssuers (or 1.3.6.1.5.5.7.48.2). Example 1: ocsp Example 2: 1.3.6.1.5.5.7.48.1
ad<n>_location_type	Specifies the general-name type for the location that contains additional information about the CA that has issued the certificate in which this extension appears. Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URL, iPAddress, OID, or otherName. Select rfc822Name if the location is an Internet mail address. Select directoryName if the location is an X.500 directory name. Select dNSName if the location is a DNS name. Select ediPartyName if the location is a EDI party name. Select URL if the location is a uniform resource identifier (default). Select iPAddress if the location is an IP address. Select OID if the location is an object identifier. Select otherName if the location is in any other name form. Example: URL
ad<n>_location	Specifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears. Permissible values: Depends on the location type you specified in the ad<n>_location_type field. If you selected rfc822Name, the value must be a valid Internet mail address in the local-part@domain format; see the definition of an rfc822Name as defined in RFC 822 (http://www.ietf.org/rfc/rfc0822.txt). You may use upper and lower case letters in the mail address; no significance is attached to the case. Example: ocspResponder@siroe.com
	If you selected directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate, in the RFC 2253 syntax (see http://www.ietf.org/rfc/rfc2253.txt). Note that RFC 2253 replaces RFC 1779. Example: CN=corpDirectory, OU=IS, O=Siroe.com, C=US
	If you selected dNSName, the value must be a valid domain name in the preferred-name syntax as specified in RFC 1034 (http://www.ietf.org/rfc/rfc1034.txt). You may use upper and lower case letters in the domain name; no significance is attached to the case. Do not use the string " " for the DNS name. Also don't use the DNS representation for Internet mail addresses; such identities should be encoded as rfc822Name. Example: ocspResponder.siroe.com
	If you selected ediPartyName, the value must be an IA5String. Example: Siroe Corporation
	If you selected URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules specified in RFC 1738 (http://www.ietf.org/rfc/rfc1738.txt). That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host. Example: http://ocspResponder.siroe.com:8000
	If you selected iPAddress, the value must be a valid IP address specified in dot-separated numeric component notation. The syntax for specifying the IP address is as follows: For IP version 4 (IPv4), the address should be in the form specified in RFC 791 (http://www.ietf.org/rfc/rfc0791.txt). IPv4 address must be in the n.n.n.n format; for example, 128.21.39.40. IPv4 address with netmask must be in the n.n.n.n,m.m.m.m format. For example, 128.21.39.40,255.255.255.00. For IP version 6 (IPv6), the address should be in the form described in RFC 1884 (http://www.ietf.org/rfc/rfc1884.txt), with netmask separated by a comma. Examples of IPv6 addresses with no netmask are 0:0:0:0:0:0:13.1.68.3 and FF01::43. Examples of IPv6 addresses with netmask are 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
	If you selected OID, the value must be a unique, valid OID specified in dot-separated numeric component notation. Although you can invent your own OIDs for the purposes of evaluating and testing this server, in a production environment, you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs. See "Object Identifier" for information on allocating private OIDs. Example: 1.2.3.4.55.6.5.99
	If you selected otherName, the value must be the absolute path to the file containing the base-64 encoded string of the location. Example: /usr/netscape/server4/ext/aia/othername.txt

Authority Key Identifier Extension Policy

The AuthorityKeyIdentifierExt plug-in module implements the authority key identifier extension policy. This policy enables you to configure Certificate Management System to add the Authority Key Identifier Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) to certificates. The extension is used to identify the public key that corresponds to the private key used by a CA to sign certificates.

You should consider adding this extension to all certificates, especially CA certificates, issued by Certificate Management System. The reason is, in certain situations, a CA's public key may change (for example, when the key gets updated) or the CA may have multiple signing keys (either due to multiple concurrent key pairs or due to key changeover). In these cases, the CA ends up with more than one distinct key. When verifying a signature on a certificate, other applications need to know which key was used in the signature. The extension, if present in a certificate, enables applications (those that can use the extension) to identify the correct key to use in situations when multiple keys exist; the extension specifies the public key to be used to verify the signature on the certificate.

For general guidelines on setting the authority key identifier extension, see "authorityKeyIdentifier" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

The authority key identifier extension policy in Certificate Management System allows setting of the authority key identifier extension as defined in its X.509 definition with key identifiers. The policy enables you to specify what is to be done if the CA certificate does not have a subject key identifier extension--whether to use the a SHA-1 hash of the CA's subject public key information (carries the public key and identifies the algorithm with which the key is used) or skip adding the authority key identifier extension itself. For information on setting the subject key identifier extension in certificates, see "Subject Key Identifier Extension Policy".

Note that PKIX and Federal PKI standards recommend against the use of authorityCertIssuer and authorityCertSerialNumber fields of the X.509 definition.

If enabled, the policy does the following:

Sets the authority key identifier extension in certificates using the CA's key identifier in the CA's subject key identifier extension, if it exists. In the absence of a subject key identifier extension, the policy does either of the following (as specified by the configuration):

Uses the SHA-1 hash of the CA's subject public key information as the key identifier. This option is compatible with Netscape Communicator when the CA does not have a subject public key identifier extension.

Does not set the authority key identifier extension.

Adds a authority key identifier extension to an enrollment request if the extension does not already exist. If the extension exists in the request, for example from a CRMF request, the policy replaces the extension. In case of manual enrollments, after an agent approves the enrollment request, the policy accepts any authority key identifier extension that is already there.

During installation, Certificate Management System automatically creates an instance of the authority key identifier extension policy. See "AuthorityKeyIdentifierExt Rule".

AuthorityKeyIdentifierExt Module

The Java class that implements the authority key identifier extension policy is as follows:

com.netscape.certsrv.policy.AuthorityKeyIdentifierExt

In the CMS configuration file, the module is identified as follows: ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.certsrv.policy.AuthorityKeyIdentifierExt

In the CMS window, the module is identified as follows: AuthorityKeyIdentifierExt

Figure 18.3 shows how the configurable parameters for the AuthorityKeyIdentifierExt module are displayed in the CMS window.

Figure 18.3 Parameters defined in the AuthorityKeyIdentifierExt module

The configuration shown in Figure 18.3 creates a policy rule named AuthKeyIDExtForCACert, which enforces a rule that the server should set the authority key identifier extension in all CA certificates.

Table 18.3 gives details about each of these parameters.

Table 18.3 Description of parameters defined in the AuthorityKeyIdentifierExt module


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule (default). Uncheck the box to disable the rule. If you enable the rule and set the remaining parameters correctly, the server adds the authority key identifier extension to certificates specified by the predicate parameter. If you disable the rule, the server does not add the extension to certificates; it ignores the values in the remaining fields.
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank (default). To form a predicate expression, see "Using Predicates in Policy Rules". Example: HTTP_PARAMS.certType==ca
critical	Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate parameter. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).
AltKeyIdType	Specifies what should be done if the CA certificate does not have a Subject Key Identifier extension. Permissible values: SpkiSHA1 or None. Select SpkiSHA1 if you want the server to use a SHA-1 hash of the CA's subject public key information (default). Select None if you don't want the server to set the authority key identifier extension in certificates. Example: SpkiSHA1

AuthorityKeyIdentifierExt Rule

The rule named AuthorityKeyIdentifierExt is an instance of the AuthorityKeyIdentifierExt module. Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows:

The rule is enabled.

The predicate expression is left blank so that the extension gets added to all certificates the server issues.

The extension is marked noncritical (to comply with the PKIX recommendation).

The rule specifies that a SHA-1 hash of the CA's subject public key info be used if the CA certificate does not have a Subject Key Identifier extension (AltKeyIdType=SpkiSHA1).

For details on individual parameters defined in the rule, see Table 18.3. You need to review this rule and make the changes appropriate for your PKI setup. For instructions, see "Step 2. Modify Existing Policy Rules". For instructions on adding additional instances, see "Step 4. Add New Policy Rules".

Basic Constraints Extension Policy

The BasicConstraintsExt plug-in module implements the basic constraints extension policy. This policy enables you to configure Certificate Management System to add the Basic Constraints Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in certificates. The extension identifies whether the Certificate Manager is a CA. In addition, the extension is also used during the certificate chain verification process to identify CA certificates and to apply certificate chain-path length constraints.

You should consider adding this extension to all CA certificates (root as well as subordinate) issued by Certificate Management System. The current PKIX standard requires that this extension be marked critical and that it appear in all CA certificates. The standard also recommends that the extension should not appear in end-entity certificates. For general guidelines on setting the basic constraints extension, see "basicConstraints" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Because the basic constraints extension is a critical extension and is used by applications to determine the path length during certificate validation to chain up to the trusted CA, it's important that you set this extension correctly.

Also note that when a user submits a certificate request using the manual-enrollment method, the basic constraints extension is set on that request as per the configured policy, and then the request is queued for agent approval. When an agent approves the request, it is subjected to the configured policy again. If there's a change in the configuration of the basic constraints extension, the server may reject the agent-approved request. For the server to approve the request, the user will have to resubmit the request.

During installation, Certificate Management System automatically creates an instance of the basic constraints extension policy. See "BasicConstraintsExt Rule".

BasicConstraintsExt Module

The Java class that implements the basic constraints extension policy is as follows:

com.netscape.certsrv.policy.BasicConstraintsExt

In the CMS configuration file, the module is identified as follows: ca.Policy.impl.BasicConstraintsExt.class=com.netscape.
certsrv.policy.BasicConstraintsExt

In the CMS window, the module is identified as follows: BasicConstraintsExt

Figure 18.4 shows how the configurable parameters for the BasicConstraintsExt module are displayed in the CMS window.

Figure 18.4 Parameters defined in the BasicConstraintsExt module

The configuration shown in Figure 18.4 creates a policy rule named BasicConsExtForCACert, which enforces a rule that the server should set the basic constraints extension in all CA certificates.

Table 18.4 gives details about each of these parameters.

Table 18.4 Description of parameters defined in the BasicConstraintsExt module


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule (default). Uncheck the box to disable the rule. If you enable the rule and set the remaining parameters correctly, the server adds the basic constraints extension to certificates specified by the predicate parameter. If you disable the rule, the server does not add the extension to certificates; it ignores the values in the remaining fields.
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank (default). To form a predicate expression, see "Using Predicates in Policy Rules". Example: HTTP_PARAMS.certType==ca
critical	Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate parameter. Check the box if you want the server to mark the extension critical (default). Uncheck the box if you want the server to mark the extension noncritical.
maxPathLen	Specifies the path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain. The maxPathLen parameter has no effect if the extension is set in end-entity certificates. Permissible values: 0 or n. Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing certificate (owned by the CA that will issue these certificates). 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued--that is, only an end-entity certificate may follow in the path. n must be an integer greater than zero. It specifies at the most n subordinate CA certificates are allowed below the subordinate CA certificate being used. If you leave the field blank, the path length defaults to a value that is determined by the path length set on the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that's one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3. Example: 2
isCA	Specifies whether the certificate subject is a CA. If you select the option, the server checks the maxPathLen parameter and sets the specified path length in the certificate. If you deselect the option, the server treats the certificate subject as a non-CA and ignores the value specified for the maxPathLen parameter.

BasicConstraintsExt Rule

The rule named BasicConstraintsExt is an instance of the BasicConstraintsExt module. Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows:

The rule is enabled.

The predicate expression is set (predicate=HTTP_PARAMS.certType==ca) so that the extension gets added to CA certificates only.

The extension is marked critical to comply with the PKIX recommendation.

The path length field (maxPathLen) is left blank so that it defaults to a value that is determined by the path length set on the Basic Constraints extension in the issuer's certificate.

For details on individual parameters defined in the rule, see Table 18.4. You need to review this rule and make the changes appropriate for your PKI setup. For instructions, see "Step 2. Modify Existing Policy Rules". For instructions on adding additional instances, see "Step 4. Add New Policy Rules".

Certificate Policies Extension Policy

The CertificatePoliciesExt plug-in module implements the certificate policies extension policy. This policy enables you to configure Certificate Management System to add the Certificate Policies Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in certificates. The extension contains a sequence of one or more policy statements, each indicating the policy under which the certificate has been issued and identifying the purposes for which the certificate may be used. Presence of this extension in certificates enables an application with specific policy requirements to compare its list of policies to the ones contained in a certificate during its validation; typically, such applications will have a list of policies (which they will accept) and compare the policies in the certificate to their list as a part validating the certificate.

To promote interoperatability, the PKIX standard recommends that the policy statements or information terms should be included in certificates in the form of object identifiers (OIDs). For more information on OIDs, see "Object Identifier". This means, in order for the server to add this extension to any certificate it issues, you need to compose policy statements you want to include in the extension, define OIDs for these policy statements, and configure the server with these OIDs.

When determining whether to add this extension to certificates, keep in mind that if the extension exists in a certificate and if it is marked critical, the application validating the certificate must be able to interpret the extension (including the optional qualifiers, if any), or else it must reject the certificate. For general guidelines on setting the certificate policies extension, see "certificatePolicies" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

The certificate policies extension policy in Certificate Management System enables you to set the extension with the following information:

The name of the your company or organization.

The OID assigned to the policy statement you want to include in the certificate.

A pointer (URI) to the published Certification Practice Statement (CPS).

Any company deploying its own PKI should make a CPS available to anyone who may come across certificates issued by the CA deployed in the PKI. (The reason for this is people outside the company intranet may receive signed email messages from an employee.) To see an example of a CPS, check this site: http://people.netscape.com/shadow/cps.html

A textual user notice (which the application validating the certificate can interpret and display).

During installation, Certificate Management System automatically creates an instance of the certificate policies extension policy. See "CertificatePoliciesExt Rule".

CertificatePoliciesExt Module

The Java class that implements the certificate policies extension policy is as follows:

com.netscape.certsrv.policy.CertificatePoliciesExt

In the CMS configuration file, the module is identified as follows: <subsystem>.Policy.impl.CertificatePoliciesExt.class=com.
netscape.certsrv.policy.CertificatePoliciesExt

where <subsystem> is ca or ra (prefix identifying the subsystem)

In the CMS window, the module is identified as follows: CertificatePoliciesExtPolicy

Figure 18.5 shows how the configurable parameters for the CertificatePoliciesExt module are displayed in the CMS window.

Figure 18.5 Parameters defined in the CertificatePoliciesExt module

The configuration shown in Figure 18.5 creates a policy rule named CertPoliciesExtForClientCert, which enforces a rule that the server should set the certificate policies extension in all client certificates.

Table 18.5 gives details about each of these parameters.

Table 18.5 Description of parameters defined in the CertificatePoliciesExt module


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule (default). If you enable the rule and set the remaining parameters correctly, the server adds the certificate policies extension to certificates specified by the predicate parameter. Uncheck the box to disable the rule. If you disable the rule, the server does not add the extension to certificates; it ignores the values in the remaining fields.
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank (default). To form a predicate expression, see "Using Predicates in Policy Rules". Example: HTTP_PARAMS.certType==client
critical	Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate parameter. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).
policyId	Specifies the OID assigned to the policy statement you want to include in the extension. If you specify a valid OID, the server includes the OID in the extension. The policyId, if specified, identifies by number a particular textual statement prepared by your organization (which is specified by the parameter named organizationName, listed next in this table). For example, it might identify the organization as Siroe Corporation and notice number 1.2.3.4.5.6.99. Typically, applications validating the certificate will have a notice file containing the current set of notices for your company; these application will interpret the number in the certificate by extracting the notice text that corresponds to the number from the file and display it to the relying party. Permissible values: A unique, valid OID specified in dot-separated numeric component notation (see the example). Although you can invent your own OIDs for the purposes of evaluating and testing this server, in a production environment, you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs. See "Object Identifier" for information on allocating private OIDs. Example: 2.16.840.1.113730.1.99
organizationName	Specifies the name of the organization that owns the OID or is the owner of the policy statement referenced by the OID. Permissible values: The name of a company or its organizational unit. Example: Siroe Corporation
displayText	Specifies the textual statement to be included in certificates; this parameter corresponds to the explicitText field of the user notice. If you want to embed a textual statement (for example, your company's legal notice) in certificates, then add that statement here. The text you enter here will be displayed to a relying party when the certificate is used or viewed. Note that certain applications may not have the capability to display this text. Also, embedding a policy statement in a certificate increases its size. If you specify values for both policyId and displayText parameters and if the application software cannot locate the notice text indicated by the policyId parameter, then it is supposed to display the embedded notice; otherwise, it's supposed to display the information specified by the policyId parameter. (This feature is application specific and Certificate Management System has no control over it.) Permissible values: A string with up to 200 characters. Example: SiroeCorp's CPS incorp. by reference liab. ltd. (c)97 SiroeCorp
cpsURI	Specifies the location where the Certification Practice Statement published by the CA (that has issued the certificate) can be found. Permissible values: An IA5String value. The PKIX standard recommends that the pointer should be in the form of a URI. Example: http://testCA.siroe.com/CPS_statement

CertificatePoliciesExt Rule

The policy rule named CertificatePoliciesExt is an instance of the CertificatePoliciesExt module. Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows:

The rule is disabled; for the rule to be effective, it must be enabled and configured appropriately.

The predicate field is left blank so that the extension gets added to all certificates.

The extension is marked noncritical (to comply with the PKIX recommendation).

Other fields are left blank for you to enter the appropriate information.

For details on individual parameters defined in the rule, see Table 18.5. You need to review this rule and make the changes appropriate for your PKI setup. For instructions, see "Step 2. Modify Existing Policy Rules". Also, if you need to add additional instances, follow the instructions in "Step 4. Add New Policy Rules". For example, if you want to include different policy statements in different types of certificates, you should create multiple instances of the policy module and configure each instance with the appropriate policy OID and predicate expression.

Certificate Renewal Window Extension Policy

The CertificateRenewalWindowExt plug-in module implements the certificate renewal window extension policy. This policy enables you to configure Certificate Management System to add the Certificate Renewal Window Extension to certificates. The extension, which must be noncritical, aids in managing the life cycle of a certificate by specifying a process to follow for renewing a certificate and by defining a time window when automatic renewal of the certificate should be attempted.

Every certificate issued by Certificate Management System has a validity period beyond which it cannot be used. In order to continue to participate in the PKI-using system beyond this validity period, the entity owning the certificate must renew the certificate. Renewal of a certificate essentially means getting a new certificate for the existing key pair with a new validity time period (and updated attributes).

Once a certificate is issued, the owner of the certificate may attempt its renewal any time. To prevent certificate owners from renewing their certificates too often and thus reduce the overhead of processing new certificate requests, the CA can use a policy that restricts the time period when certificate renewal may occur. For example, the CA can use a policy that limits the renewal process to the last few weeks or days of validity of the certificate, thus defining a certificate renewal window. In general, the renewal window must be sufficient for the renewal to occur, but at the same time delay the renewal as long as possible to best utilize a certificate's life time.

The certificate-renewal process is often different than the enrollment process an entity uses to obtain the certificate; this is because the entity already owns a key pair that is associated with his or her identity. For example, in Certificate Management System, the certificate-renewal process for end users is different than the enrollment process they used to obtain the certificate. To renew their certificates, end users go to the certificate-renewal interface of Certificate Management System and submit their original certificates; for details, see "Authentication of End Users During Certificate Renewal".

Because the renewal process requires end users to remember when their certificates expire and renew them before the expiry date, some clients provide built-in support for automated renewal. Inclusion of the certificate renewal window extension in certificates is useful in a PKI setup with such clients; such a setup eliminates the need for the owner of the certificate to manually submit a renewal request to the CA and install the renewed certificate. For example, assume you have deployed clients that can automatically submit certificate-renewal requests to Certificate Management System. If you issue certificates with the certificate renewal window extension to these clients, they can then read this extension for the renewal window and automatically get the certificate renewed from the CA during that window.

For a PKI setup without clients that can handle automated certificate renewals, Certificate Management System enables administrators to easily manage certificate renewals using the following features:

The renewal notification job, which reminds users to renew their certificates before they expire.

The renewal constraints policy, which determines whether expired certificates can be renewed; see "Renewal Constraints Policy".

The renewal validity constraints policy, which controls when users can renew their certificates and what should be the validity period in renewed certificates; see "Renewal Validity Constraints Policy".

Unlike some of the other policy modules, Certificate Management System does not create an instance of the certificate renewal window extension policy during installation. If you want the server to add this extension to certificates, you must create an instance of the CertificateScopeOfUseExt module and configure it (see "Step 4. Add New Policy Rules").

CertificateRenewalWindowExt Module

The Java class that implements the certificate renewal window extension policy is as follows:

com.netscape.certsrv.policy.CertificateRenewalWindowExt

In the CMS configuration file, the module is identified as follows: <subsystem>.Policy.impl.CertificateRenewalWindowExt.class=
com.netscape.certsrv.policy.CertificateRenewalWindowExt

where <subsystem> is ca or ra (prefix identifying the subsystem)

In the CMS window, the module is identified as follows: CertificateRenewalWindowExt

Figure 18.6 shows how the configurable parameters for the CertificateRenewalWindowExt module are displayed in the CMS window.

Figure 18.6 Parameters defined in the CertificateRenewalWindowExt module

The configuration shown in Figure 18.6 creates a policy rule named CertRenewWindowExtForClientCert, which enforces a rule that the server should set the certificate renewal window extension in client certificates only; the renewal window starts 30 days before a certificate expires and ends with certificate expiration.

Table 18.6 gives details about each of these parameters.

Table 18.6 Description of parameters defined in the CertificateRenewalWindowExt module


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule (default). If you enable the rule and set the remaining parameters correctly, the server adds the certificate renewal window extension to certificates specified by the predicate parameter. Uncheck the box to disable the rule. If you disable the rule, the server does not add the extension to certificates; it ignores the values in the remaining fields.
predicate	Specifies the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank (default). To form a predicate expression, see "Using Predicates in Policy Rules". Example: HTTP_PARAMS.certType==client
critical	Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate parameter. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).
relativeBeginTime	Specifies the first time automatic renewal of certificate that contains the extension should be attempted. Permissible values: 0 or n. 0 specifies that the renewal window begins at the same time the certificate is issued; the beginTime field of the extension will be set to the time of certificate issuance. n specifies a future time for certificate renewal; the beginTime field of the extension will be set to the specified time since certificate issuance. You can specify the time period in seconds, minutes, hours, days, or months. Use the following suffixes to indicate the time unit. s - seconds m - minutes h - hours D - days M - months For example, if you're issuing certificates with a validity period of two years and want the renewal window to begin a month before the certificates expire, and want to specify the interval in months, you would enter 23M in this field. To specify the same validity interval in seconds, you would set the value to 59616000s (23 months x 30 days x 24 hours x 60 minutes x 60 seconds). Example: 23M
relativeEndTime	Specifies the last opportunity for automatic renewal of the certificate that contains this extension. Specifying a value for this parameter is optional; if you leave the field blank, the certificate-using application is expected to use the expiration date (notAfter value) in the certificate. Permissible values: 0 or n. 0 specifies that the renewal window ends at the same time the certificate expires; the endTime field of the extension will be set to the time the certificate expires. n specifies a past or future time, in seconds, by which the certificate must be renewed; the endTime field of the extension will be set to the specified time since certificate issuance. You can specify the time period in seconds, minutes, hours, days, or months. Use the following suffixes to indicate the time unit. s - seconds m - minutes h - hours D - days M - months For example, if you're issuing certificates with a validity period of two years and want the renewal window to end a month after the certificates expire, and want to specify the interval in months, you would enter 25M in this field. On the other hand, if you want the renewal window to end 15 days before certificates expire, then you would set the value to 705D ((23 months x 30 days) + 15 days). Note that if you choose to extend the renewal window afte