System Overview
Chapter
1
Introduction to Certificate Management System
57
Policy Plug-in Modules
A policy module is a rule (implemented as a Java class) that validates the contents
of a certificate request and formulates the contents of the certificate to be issued.
Policy modules are also responsible for accepting, rejecting, or deferring the
request. Certificate Management System policies have nothing to do with export
control policies or certificate usage policies.
After a Registration Manager or Certificate Manager has successfully authenticated
an end entity, the entity’s request is passed to a policy processor, which
sequentially applies a set of policy rules configured for that CMS manager. The
processor validates the contents of a certificate request for each rule and can add or
modify any part of a certificate’s contents, including validity dates, name
constraints, and extensions.
Here are three typical examples of the use of policies:
•
A name constraints extension policy checks that the subject name matches a
pattern, and it rejects, defers, or adjusts the subject name in the request
accordingly.
•
A validity constraints policy checks that the certificate validity period falls
within a specified period, and it rejects, defers, or adjusts the validity period in
the request accordingly.
•
An extensions policy checks that a request includes a specified extension and
adds the extension if it’s missing.
For an introduction to the role of policy modules in the enrollment process, see
“Authentication and Policy Modules” on page 77.
Certificate Management System supports the following constraints-specific policy
modules out of the box. These policies establish rules or constraints that Certificate
Management System must use to evaluate an incoming request. They can be used
with either a Certificate Manager or a Registration Manager.
Table 1-3
Policy plug-in modules for checking and formulating certificate contents
Plug-in module name
Description
AttributePresentConstraints
Rejects a request if an LDAP attribute is not present in the enrolling
user’s directory entry or if the attribute does not have a specified value.
DSAKeyConstraints
Allows the server to certify only DSA keys of specified lengths.
IssuerConstraints
Allows the server to check for certificates that have been issued by a
particular CA.
Summary of Contents for NETSCAPE DIRECTORY SERVER 6.01
Page 1: ...Installation and Setup Guide Netscape Certificate Management System Version6 01 May 2002...
Page 22: ...22 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 32: ...32 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 160: ...160 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 776: ...776 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 807: ...807 Part 5 Appendix Appendix A Certificate Download Specification...
Page 808: ...808 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 830: ...830 Netscape Certificate Management System Installation and Setup Guide May 2002...