z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for creating the CertificatePolicies extension on a template basis

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Perform the following steps to create your own CertificatePolicies extension on an individual template basis:

  1. Edit the pkiserv.conf configuration file and find the CertPolicy section.

    _______________________________________________________________

  2. Change the value of PolicyRequired to F (False) as in the following line:
    PolicyRequired=F

    _______________________________________________________________

  3. Follow steps 4 through 7 in Steps for creating the CertificatePolicies extension on a global basis to create the individual policies you need.

    _______________________________________________________________

  4. Update the certificate template to specify the CertificatePolicies extensions that are to be created for it.
    • If you are implementing the Web application using REXX CGI execs: Edit pkiserv.tmpl and customize the CONSTANT subsection under the certificate template for which you need CertificatePolicies extensions.
      For example, if you have specified values for PolicyName1, PolicyName3, and PolicyName6 in pkiserv.conf, then you can specify the certificate policies in pkiserv.tmpl in the following ways:
      %%CertPolicies=3%%
 or
%%CertPolicies=3 6%%
 or
%%CertPolicies=1 3 6%%
      If you want to make the CertPolicies extension critical, specify the following in the CONSTANT section: 
      %%Critical=CertPolicies%%
    • If you are implementing the Web application using Java™ server pages (JSPs): Edit pkitmpl.xml and customize the section for the certificate template for which you need CertificatePolicies extensions.
      For example, if you have specified values for PolicyName1, PolicyName3, and Place-name in pkiserv.conf, then you can specify the certificate policies in pkitmpl.xml in the following ways:
      <tns:CertPolicies>3</tns:CertPolicies>
 or
<tns:CertPolicies>3 6</tns:CertPolicies>
or
<tns:CertPolicies>1 3 6</tns:CertPolicies>
      If you want to make the CertPolicies extension critical, specify the following tag in the certificate template section: 
      <tns:Critical>CertPolicies</tns:Critical>

    Rule: The policy numbers in the template file must exist in the pkiserv.conf file. For each template, you can choose a different subset of these numbers.

    _______________________________________________________________

  5. If you made any changes to the PKI Services configuration, stop and restart PKI Services to activate the changes.

    _______________________________________________________________

Parent topic: Using certificate policies

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014