B.2. Constraints Reference
B.2.1. Basic Constraints Extension Constraint
| Parameter | Description | 
|---|---|
| basicConstraintsCritical | Specifies whether the extension can be marked critical or noncritical. Select trueto mark this extension critical; selectfalseto prevent this extension from being marked critical. Selecting a hyphen-, implies no criticality preference. | 
| basicConstraintsIsCA | Specifies whether the certificate subject is a CA. Select trueto require a value oftruefor this parameter (is a CA); selectfalseto disallow a value oftruefor this parameter; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| basicConstraintsMinPathLen | 
								Specifies the minimum allowable path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. The path length affects the number of CA certificates used during certificate validation. The chain starts with the end-entity certificate being validated and moves up.
							 
								This parameter has no effect if the extension is set in end-entity certificates.
							 
								The permissible values are  0orn. The value must be less than the path length specified in the Basic Constraints extension of the CA signing certificate.0specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued; only an end-entity certificate may follow in the path.
								n must be an integer greater than zero. This is the minimun number of subordinate CA certificates allowed below the subordinate CA certificate being used.
							 | 
| basicConstraintsMaxPathLen | 
								Specifies the maximum allowable path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. The path length affects the number of CA certificates used during certificate validation. The chain starts with the end-entity certificate being validated and moves up.
							 
								This parameter has no effect if the extension is set in end-entity certificates.
							 
								The permissible values are  0or n. The value must be greater than the path length specified in the Basic Constraints extension of the CA signing certificate.0specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued; only an end-entity certificate may follow in the path.
								n must be an integer greater than zero. This is the maximum number of subordinate CA certificates allowed below the subordinate CA certificate being used.
							 
								If the field is blank, the path length defaults to a value determined by the path length set on the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate is also unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate is set to a value one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate is set to 3.
							 | 
B.2.2. CA Validity Constraint
B.2.3. Extended Key Usage Extension Constraint
Important
| Parameter | Description | 
|---|---|
| exKeyUsageCritical | When set to true, the extension can be marked as critical. When set tofalse, the extension can be marked noncritical. | 
| exKeyUsageOIDs | Specifies the allowable OIDs that identifies a key-usage purpose. Multiple OIDs can be added in a comma-separated list. | 
B.2.4. Extension Constraint
| Parameter | Description | 
|---|---|
| extCritical | Specifies whether the extension can be marked critical or noncritical. Select trueto mark the extension critical; selectfalseto mark it noncritical. Select-to enforce no preference. | 
| extOID | The OID of an extension that must be present in the cert to pass the constraint. | 
B.2.5. Key Constraint
KeyParameters parameter contains a comma-separated list of legal key sizes, and with EC Keys the KeyParameters parameter contains a comma-separated list of available ECC curves.
			| Parameter | Description | 
|---|---|
| keyType | Gives a key type; this is set to -by default and uses an RSA key system. The choices are rsa and ec. If the key type is specified and not identified by the system, the constraint will be rejected. | 
| KeyParameters | Defines the specific key parameters. The parameters which are set for the key differe, depending on the value of the keyTypeparameter (meaning, depending on the key type).
 | 
B.2.6. Key Usage Extension Constraint
Important
| Parameter | Description | 
|---|---|
| keyUsageCritical | Select trueto mark this extension critical; selectfalseto mark it noncritical. Select-for no preference. | 
| keyUsageDigitalSignature | Specifies whether to sign TLS client certificates and S/MIME signing certificates. Select trueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| kleyUsageNonRepudiation | Specifies whether to set S/MIME signing certificates. Select trueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter.Warning 
									Using this bit is controversial. Carefully consider the legal consequences of its use before setting it for any certificate.
								 | 
| keyEncipherment | Specifies whether to set the extension for TLS server certificates and S/MIME encryption certificates. Select trueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| keyUsageDataEncipherment | Specifies whether to set the extension when the subject's public key is used to encrypt user data, instead of key material. Select trueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| keyUsageKeyAgreement | Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select trueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| keyUsageCertsign | Specifies whether the extension applies for all CA signing certificates. Select trueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| keyUsageCRLSign | Specifies whether to set the extension for CA signing certificates that are used to sign CRLs. Select trueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| keyUsageEncipherOnly | Specifies whether to set the extension if the public key is to be used only for encrypting data. If this bit is set, keyUsageKeyAgreementshould also be set. Selecttrueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
| keyUsageDecipherOnly | Specifies whether to set the extension if the public key is to be used only for deciphering data. If this bit is set, keyUsageKeyAgreementshould also be set. Selecttrueto mark this as set; selectfalseto keep this from being set; select a hyphen,-, to indicate no constraints are placed for this parameter. | 
B.2.7. Netscape Certificate Type Extension Constraint
Warning
B.2.8. No Constraint
B.2.9. Renewal Grace Period Constraint
| Parameter | Description | 
|---|---|
| renewal.graceAfter | Sets the period, in days, after the certificate expires that it can be submitted for renewal. If the certificate has been expired longer that that time, then the renewal request is rejected. If no value is given, there is no limit. | 
| renewal.graceBefore | Sets the period, in days, before the certificate expires that it can be submitted for renewal. If the certificate is not that close to its expiration date, then the renewal request is rejected. If no value is given, there is no limit. | 
B.2.10. Signing Algorithm Constraint
| Parameter | Description | 
|---|---|
| signingAlgsAllowed | Sets the signing algorithms that can be specified to sign the certificate. The algorithms can be any or all of the following: 
 | 
B.2.11. Subject Name Constraint
| Parameter | Description | 
|---|---|
| Pattern | Specifies a regular expression or other string to build the subject DN. | 
					The regular expression for the Subject Name Constraint is matched by the Java facility for matching regular expressions. The format for these regular expressions are listed in https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html. This allows wildcards such as asterisks (*) to search for any number of the characters and periods (.) to search for any type character.
				
uid=.*, the certificate profile framework checks if the subject name in the certificate request matches the pattern. A subject name like uid=user, o=Example, c=US satisfies the pattern uid=.*. The subject name cn=user, o=example,c=US does not satisfy the pattern. uid=.* means the subject name must begin with the uid attribute; the period-asterisk (.*) wildcards allow any type and number of characters to follow uid.
			.*ou=Engineering.*, which requires the ou=Engineering attribute with any kind of string before and after it. This matches cn=jdoe,ou=internal,ou=west coast,ou=engineering,o="Example Corp",st=NC as well as uid=bjensen,ou=engineering,dc=example,dc=com.
			|) between the options. For example, to permit subject names that contain either ou=engineering,ou=people or ou=engineering,o="Example Corp", the pattern is .*ou=engineering,ou=people.* | .*ou=engineering,o="Example Corp".*.
			Note
.), escape the character with a back slash (\). For example, to search for the string o="Example Inc.", set the pattern to o="Example Inc\.".
				The pattern that is used to build the subject DN can also be based on the CN or UID of the person requesting the certificate. The Subject Name Constraint sets the patter of the CN (or UID) to recognize in the DN of the certificate request, and then the Subject Name Default builds on that CN to create the subject DN of the certificate, using a predefined directory tree.
B.2.12. Unique Key Constraint
| Parameter | Description | 
|---|---|
| allowSameKeyRenewal | 
								A request is considered a renewal and is accepted if this parameter is set to  true, if a public key is not unique, and if the subject DN matches an existing certificate. However, if the public key is a duplicate and does not match an existing Subject DN, the request is rejected.
								When the parameter is set to  false, a duplicate public key request will be rejected. | 
B.2.13. Unique Subject Name Constraint
| Parameter | Description | 
|---|---|
| enableKeyUsageExtensionChecking | Optional setting which allows certificates to have the same subject name as long as their key usage settings are different. This is either trueorfalse. The default istrue, which allows duplicate subject names. | 
B.2.14. CMC User-signed Subject Name Constraint
CMCUserSignedSubjectNameDefault.
			B.2.15. Validity Constraint
notBefore parameter that provides a time which has already passed will not be accepted, and a notAfter parameter that provides a time earlier than the notBefore time will not be accepted.
			| Parameter | Description | 
|---|---|
| range | The range of the validity period. This is an integer which sets the number of days. The difference (in days) between the notBeforetime and thenotAftertime must be less than the range value, or this constraint will be rejected. | 
| notBeforeCheck | Verifies that the range is not within the grace period. When the NotBeforeCheckBoolean parameter is set to true, the system will check thenotBeforetime is not greater than the current time plus thenotBeforeGracePeriodvalue. If thenotBeforeTimeis not between the current time and thenotBeforeGracePeriodvalue, this constraint will be rejected. | 
| notBeforeGracePeriod | The grace period (in seconds) after the notBeforetime. If thenotBeforeTimeis not between the current time and thenotBeforeGracePeriodvalue, this constraint will be rejected. This constraint is only checked if thenotBeforeCheckparameter has been set to true. | 
| notAfterCheck | Verfies whether the given time is not after the expiration period. When the notAfterCheckBoolean parameter is set to true, the system will check thenotAftertime is not greater than the current time. If the current time exceeds thenotAftertime, this constraint will be rejected. |