Steps for creating the CertificatePolicies extension on a global basis

Perform the following steps to create your own CertificatePolicies extension on a global basis:

Edit the pkiserv.conf configuration file and find the CertPolicy section.
_______________________________________________________________
Change the value of PolicyRequired to T (True) as in the following line:
```
PolicyRequired=T 
```
_______________________________________________________________
If you want to have the extension marked critical (this is not suggested), set the PolicyCritical equal to T (True) as in the following line:
```
PolicyCritical=T 
```
_______________________________________________________________
Go to the OIDs section of the pkiserv.conf configuration file. By default (as shown in the following example), the name is MyPolicy=1.2.3.4 and value is 1.2.3.4. The value of MyPolicy should be an installation-specific (registered) Object ID identifying your organization's certificate. Replace the value of MyPolicy in the following line with your Object ID.
Example:
```
[OIDs] 
MyPolicy=1.2.3.4
```
Optionally, change the parameter name MyPolicy to your own installation-specific name. If you change the parameter name in this step, make a note of it. You need it for the next step. You can repeat the MyPolicy parameter using unique names and values if you need to define multiple policies.
Example:
```
MyPolicy=1.2.3.4
MyOtherPolicy=2.3.4.5
```
_______________________________________________________________
If you changed the parameter name MyPolicy in the previous step, go back to the CertPolicy section and update the PolicyName1 line to change the MyPolicy parameter to the policy name you specified in the OIDs section:
```
[CertPolicy]
PolicyName1=MyPolicy
```
_______________________________________________________________
If you want to add qualifiers, perform the following steps:
1. Uncomment the following lines by removing the "#" characters and update the Policy1Org and Policy1Noticen fields:
```
#Policy1Org=MyOrganization
#Policy1Notice1=3
#Policy1Notice2=17
```
  Policy1Org
  
  Your organization's name, for example, International Business Machines, Inc.
  
  Policy1Notice1 through Policy1Noticen
  
  Your notice numbers. (You might need more than one Policy1Noticen line, depending on how many notice numbers you have. Repeat the line as needed, by incrementing the suffix number on the keyword, for example Policy1Notice1, Policy1Notice2, and so forth.)
2. Change the value of the UserNoticeText1 line shown in the following sample. The statement should be your notice text string, for example, Certificate for IBM internal use only. It cannot be longer than 200 characters, and must not contain imbedded control characters (such as tab, carriage return, and line feed).
```
UserNoticeText1=statement
```
  Note: Starting in z/OS® V2R1, PKI Services encodes the UserNoticeText1 data as a UTF8String. In earlier releases it was encoded as a VisibleString, which is not allowed by RFC 5280.
3. Change the value of the CPS1 line shown in the following sample. The value should be your CPS URI, for example, http://www.ibm.com/cps.html.
```
CPS1=http://www.mycompany.com/cps.html
```
If you do not want to add qualifiers, delete or comment out (by inserting a # character at the start of the line) the preceding lines.

_______________________________________________________________

If you need multiple qualifiers, repeat the following fields as needed, incrementing the suffix numbers, for example:

PolicyName2=MyOtherPolicy
Policy2Org=International Business Machines, Inc.
Policy2Notice1=5
Policy2Notice2=9
UserNoticeText2=Certificate is intended for testing only
CPS2=http://www.ibm.com/cps2.html

_______________________________________________________________

If you made any changes to the PKI Services configuration, stop and restart PKI Services to activate the changes.
_______________________________________________________________