Using certificate policies

Certificates can contain a CertificatePolicies extension. This extension contains policy information, such as how your CA operates and the intended purpose of the issued certificates. (For more information about this extension, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile at http://www.ietf.org/rfc/rfc5280.txt.)

The CertificatePolicies extension contains one or more PolicyInformation sequences. (Typical usage has just one of these.) The PolicyInformation sequence has the following format:
  • Your Policy OID as registered with the appropriate standards organization (ISO or ITU)
  • Zero or more PolicyQualifiers sequences, each having the following information:
    • Either a Certificate Practices Statement (CPS) URI
    • Or a UserNotice sequence, which consists of one or both of the following text strings:
      • A notice that is intended to be viewed by customers using the certificate such as copyright or other legal information
      • Your organization's legal name with one or more notice numbers defined elsewhere, perhaps in your CPS.
By default, PKI Services does not include this extension in the certificates it creates. However, you can define your own CertificatePolicies extension by modifying fields in the CertPolicy section of the pkiserv.conf configuration file. You can also specify the PolicyRequired value to indicate whether a CertificatePolicies extension should be created for all certificate templates on a global basis or whether one is individually created based on the specifications of each certificate template.
PolicyRequired=T
Indicates that the CertificatePolicies extension is added to all certificates, and includes all PolicyNamen values specified in the pkiserv.conf file. Policies that are specified in the CertPolicies input parameter or listed in the CONSTANT section of the template used to generate the certificate are ignored.

See Steps for creating the CertificatePolicies extension on a global basis.

PolicyRequired=F (default)
Indicates that the CertificatePolicies extension is added to certificates only when a certificate policy is specified in the CertPolicies input parameter or in the template when a certificate is requested. If you are implementing the web application using REXX CGI execs, the specification is done in the CONSTANT section of pkiserv.tmpl. If you are using Java™Server pages (JSPs), the specification is done with the CertPolicies tag in pkitmpl.xml.

See Steps for creating the CertificatePolicies extension on a template basis.

Note: PolicyCritical is ignored unless PolicyRequired=T. When PolicyRequired=F, setting %%Critical=CertPolicies%% in the CONSTANT section of the template marks the extension critical.

Restriction: When policies are specified within an individual template, the policy data is saved with the request at the time the request is submitted or modified. Therefore, if PKI Services is stopped and restarted to make changes in the policy data before the certificate is issued, the changes are not reflected in the issued certificate. However, the PolicyRequired=F setting is checked at the time the certificate is issued. Therefore, if PKI Services is stopped and restarted to make changes to the PolicyRequired setting before the certificate is issued, the new setting is used to determine which policy information is used (the global policy data or the data saved with the request.)

Parent topic: Advanced customization