|
Perform the following steps to create your own CertificatePolicies
extension on a global basis: - Edit the pkiserv.conf configuration file and
find the CertPolicy section.
_______________________________________________________________
- Change the value of PolicyRequired to T (True)
as in the following line:
PolicyRequired=T
_______________________________________________________________
- If you want to have the extension marked critical (this is not
suggested), set the PolicyCritical equal to T (True)
as in the following line:
PolicyCritical=T
_______________________________________________________________
- Go to the OIDs section of the pkiserv.conf configuration
file. By default (as shown in the following example), the name is MyPolicy=1.2.3.4 and
value is 1.2.3.4. The value of MyPolicy should be
an installation-specific (registered) Object ID identifying your organization's
certificate. Replace the value of MyPolicy in the following line with
your Object ID.
Example:[OIDs]
MyPolicy=1.2.3.4
Optionally, change the parameter name MyPolicy to
your own installation-specific name. If you change the parameter name
in this step, make a note of it. You need it for the next step. You
can repeat the MyPolicy parameter using unique names
and values if you need to define multiple policies.
Example:MyPolicy=1.2.3.4
MyOtherPolicy=2.3.4.5
_______________________________________________________________
- If you changed the parameter name MyPolicy in
the previous step, go back to the CertPolicy section and update
the PolicyName1 line to change the MyPolicy parameter
to the policy name you specified in the OIDs section:
[CertPolicy]
PolicyName1=MyPolicy
_______________________________________________________________
- If you want to add qualifiers, perform the following steps:
- Uncomment the following lines by removing the "#" characters
and update the Policy1Org and Policy1Noticen fields:
#Policy1Org=MyOrganization
#Policy1Notice1=3
#Policy1Notice2=17
- Policy1Org
- Your organization's name, for example, International Business
Machines, Inc.
- Policy1Notice1 through Policy1Noticen
- Your notice numbers. (You might need more than one Policy1Noticen line,
depending on how many notice numbers you have. Repeat the line as
needed, by incrementing the suffix number on the keyword, for example
Policy1Notice1, Policy1Notice2, and so forth.)
- Change the value of the UserNoticeText1 line shown in the following sample. The statement should be
your notice text string, for example, Certificate for IBM
internal use only. It cannot be longer than
200 characters, and must not contain imbedded control characters (such
as tab, carriage return, and line feed).
UserNoticeText1=statement
Note: Starting in z/OS® V2R1,
PKI Services encodes the UserNoticeText1 data as a UTF8String. In
earlier releases it was encoded as a VisibleString, which is not allowed
by RFC 5280.
- Change the value of the CPS1 line shown in the following sample. The value should be your CPS URI, for example, http://www.ibm.com/cps.html.
CPS1=http://www.mycompany.com/cps.html
If you do not want to add qualifiers, delete or comment out
(by inserting a # character at the start of the line) the preceding
lines.
_______________________________________________________________
- If you need multiple qualifiers, repeat the following
fields as needed, incrementing the suffix numbers, for example:
PolicyName2=MyOtherPolicy
Policy2Org=International Business Machines, Inc.
Policy2Notice1=5
Policy2Notice2=9
UserNoticeText2=Certificate is intended for testing only
CPS2=http://www.ibm.com/cps2.html
_______________________________________________________________
- If you made any changes to the PKI Services configuration,
stop and restart PKI Services to
activate the changes.
_______________________________________________________________
|