Using certificate policies
Certificates can contain a CertificatePolicies extension. This extension contains policy information, such as how your CA operates and the intended purpose of the issued certificates. (For more information about this extension, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile at http://www.ietf.org/rfc/rfc5280.txt.)
- Your Policy OID as registered with the appropriate standards organization (ISO or ITU)
- Zero or more PolicyQualifiers sequences, each having the following
information:
- Either a Certificate Practices Statement (CPS) URI
- Or a UserNotice sequence, which consists of one or both of the
following text strings:
- A notice that is intended to be viewed by customers using the certificate such as copyright or other legal information
- Your organization's legal name with one or more notice numbers defined elsewhere, perhaps in your CPS.
- PolicyRequired=T
- Indicates that the CertificatePolicies extension is added to all
certificates, and includes all PolicyNamen values specified in the pkiserv.conf file.
Policies that are specified in the CertPolicies input parameter or
listed in the CONSTANT section of the template used to generate the
certificate are ignored.
See Steps for creating the CertificatePolicies extension on a global basis.
- PolicyRequired=F (default)
- Indicates that the CertificatePolicies extension is added to certificates
only when a certificate policy is specified in the CertPolicies input
parameter or in the template when a certificate is requested. If you
are implementing the web application using REXX CGI execs, the specification
is done in the CONSTANT section of pkiserv.tmpl.
If you are using Java™Server
pages (JSPs), the specification is done with the CertPolicies tag
in pkitmpl.xml.
See Steps for creating the CertificatePolicies extension on a template basis.
Restriction: When policies are specified within an individual template, the policy data is saved with the request at the time the request is submitted or modified. Therefore, if PKI Services is stopped and restarted to make changes in the policy data before the certificate is issued, the changes are not reflected in the issued certificate. However, the PolicyRequired=F setting is checked at the time the certificate is issued. Therefore, if PKI Services is stopped and restarted to make changes to the PolicyRequired setting before the certificate is issued, the new setting is used to determine which policy information is used (the global policy data or the data saved with the request.)