z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Certificate policies

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

PKITP supports CA and server application-defined certificate policies. CAs can and, in most cases, do establish their own policies for issuing certificates. These policies are declared within issued certificates through the CertificatePolicies extension. When this extension exists and is not marked critical, the extension is for informational purposes only - for example, specifying the URL for locating the CA's certificate practice statement (CPS). When this extension exists and is marked critical, the policies identified in the extension restrict the use of the certificate. These restrictions apply to subordinate CA certificates and to end-entity certificates. (For information about how PKI Services support the CertificatePolicies extension, see Using certificate policies.)

Similarly, a server application can be a general application that wishes to verify certificates for no specific policy or can be an application that was written for a specific purpose and wishes to verify certificates issued for that purpose (policy).

If the server application specifies an explicit set of policies, then at least one of these policies must be present in each certificate of the certification path (chain). Additionally, PKITP extracts the certificate polices marked critical from each certificate in the chain to determine the intersection - that is, only policies listed in every critically marked CertificatePolicies extension are retained. The server application must indicate that it supports at least one of these polices. If any of these tests is unsuccessful, certificate validation fails.

Go to the previous page Go to the next page




Copyright IBM Corporation 1990, 2014