Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Using certificate policies z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
|
Certificates can contain a CertificatePolicies extension. This extension contains policy information, such as the way in which your CA operates and the intended purpose of the issued certificates. (For more information about this extension, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile at http://www.ietf.org/rfc/rfc5280.txt.) The CertificatePolicies extension contains one or more PolicyInformation
sequences. (Typical usage has just one of these.) The PolicyInformation
sequence has the following format:
By
default, PKI Services does
not include this extension in the certificates it creates. However,
you can define your own CertificatePolicies extension by modifying
fields in the CertPolicy section of the pkiserv.conf configuration
file. You can also specify the PolicyRequired value
to indicate whether a CertificatePolicies extension should be created
for all certificate templates on a global basis or whether one is
individually created based on the specifications of each certificate
template.
Note: PolicyCritical is ignored unless PolicyRequired=T.
When PolicyRequired=F, setting %%Critical=CertPolicies%% in
the CONSTANT section of the template will mark the extension critical.
Restriction: When policies are specified within an individual template, the policy data is saved with the request at the time the request is submitted or modified. Therefore, if PKI Services is stopped and restarted to make changes in the policy data before the certificate is issued, the changes will not be reflected in the issued certificate. However, the PolicyRequired=F setting is checked at the time the certificate is issued. Therefore, if PKI Services is stopped and restarted to make changes to the PolicyRequired setting before the certificate is issued, the new setting is used to determine which policy information is used (the global policy data or the data saved with the request.) |
Copyright IBM Corporation 1990, 2014
|