B.2. Constraints Reference
B.2.1. Basic Constraints Extension Constraint
Parameter | Description |
---|---|
basicConstraintsCritical | Specifies whether the extension can be marked critical or noncritical. Select true to mark this extension critical; select false to prevent this extension from being marked critical. Selecting a hyphen - , implies no criticality preference. |
basicConstraintsIsCA | Specifies whether the certificate subject is a CA. Select true to require a value of true for this parameter (is a CA); select false to disallow a value of true for this parameter; select a hyphen, - , to indicate no constraints are placed for this parameter. |
basicConstraintsMinPathLen |
Specifies the minimum allowable path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. The path length affects the number of CA certificates used during certificate validation. The chain starts with the end-entity certificate being validated and moves up.
This parameter has no effect if the extension is set in end-entity certificates.
The permissible values are
0 or n . The value must be less than the path length specified in the Basic Constraints extension of the CA signing certificate.
0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued; only an end-entity certificate may follow in the path.
n must be an integer greater than zero. This is the minimun number of subordinate CA certificates allowed below the subordinate CA certificate being used.
|
basicConstraintsMaxPathLen |
Specifies the maximum allowable path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. The path length affects the number of CA certificates used during certificate validation. The chain starts with the end-entity certificate being validated and moves up.
This parameter has no effect if the extension is set in end-entity certificates.
The permissible values are
0 or n. The value must be greater than the path length specified in the Basic Constraints extension of the CA signing certificate.
0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued; only an end-entity certificate may follow in the path.
n must be an integer greater than zero. This is the maximum number of subordinate CA certificates allowed below the subordinate CA certificate being used.
If the field is blank, the path length defaults to a value determined by the path length set on the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate is also unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate is set to a value one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate is set to 3.
|
B.2.2. CA Validity Constraint
B.2.3. Extended Key Usage Extension Constraint
Important
Parameter | Description |
---|---|
exKeyUsageCritical | When set to true , the extension can be marked as critical. When set to false , the extension can be marked noncritical. |
exKeyUsageOIDs | Specifies the allowable OIDs that identifies a key-usage purpose. Multiple OIDs can be added in a comma-separated list. |
B.2.4. Extension Constraint
Parameter | Description |
---|---|
extCritical | Specifies whether the extension can be marked critical or noncritical. Select true to mark the extension critical; select false to mark it noncritical. Select - to enforce no preference. |
extOID | The OID of an extension that must be present in the cert to pass the constraint. |
B.2.5. Key Constraint
KeyParameters
parameter contains a comma-separated list of legal key sizes, and with EC Keys the KeyParameters
parameter contains a comma-separated list of available ECC curves.
Parameter | Description |
---|---|
keyType | Gives a key type; this is set to - by default and uses an RSA key system. The choices are rsa and ec. If the key type is specified and not identified by the system, the constraint will be rejected. |
KeyParameters | Defines the specific key parameters. The parameters which are set for the key differe, depending on the value of the keyType parameter (meaning, depending on the key type).
|
B.2.6. Key Usage Extension Constraint
Important
Parameter | Description |
---|---|
keyUsageCritical | Select true to mark this extension critical; select false to mark it noncritical. Select - for no preference. |
keyUsageDigitalSignature | Specifies whether to sign TLS client certificates and S/MIME signing certificates. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
kleyUsageNonRepudiation | Specifies whether to set S/MIME signing certificates. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter.
Warning
Using this bit is controversial. Carefully consider the legal consequences of its use before setting it for any certificate.
|
keyEncipherment | Specifies whether to set the extension for TLS server certificates and S/MIME encryption certificates. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
keyUsageDataEncipherment | Specifies whether to set the extension when the subject's public key is used to encrypt user data, instead of key material. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
keyUsageKeyAgreement | Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
keyUsageCertsign | Specifies whether the extension applies for all CA signing certificates. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
keyUsageCRLSign | Specifies whether to set the extension for CA signing certificates that are used to sign CRLs. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
keyUsageEncipherOnly | Specifies whether to set the extension if the public key is to be used only for encrypting data. If this bit is set, keyUsageKeyAgreement should also be set. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
keyUsageDecipherOnly | Specifies whether to set the extension if the public key is to be used only for deciphering data. If this bit is set, keyUsageKeyAgreement should also be set. Select true to mark this as set; select false to keep this from being set; select a hyphen, - , to indicate no constraints are placed for this parameter. |
B.2.7. Netscape Certificate Type Extension Constraint
Warning
B.2.8. No Constraint
B.2.9. Renewal Grace Period Constraint
Parameter | Description |
---|---|
renewal.graceAfter | Sets the period, in days, after the certificate expires that it can be submitted for renewal. If the certificate has been expired longer that that time, then the renewal request is rejected. If no value is given, there is no limit. |
renewal.graceBefore | Sets the period, in days, before the certificate expires that it can be submitted for renewal. If the certificate is not that close to its expiration date, then the renewal request is rejected. If no value is given, there is no limit. |
B.2.10. Signing Algorithm Constraint
Parameter | Description |
---|---|
signingAlgsAllowed | Sets the signing algorithms that can be specified to sign the certificate. The algorithms can be any or all of the following:
|
B.2.11. Subject Name Constraint
Parameter | Description |
---|---|
Pattern | Specifies a regular expression or other string to build the subject DN. |
The regular expression for the Subject Name Constraint is matched by the Java facility for matching regular expressions. The format for these regular expressions are listed in https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html. This allows wildcards such as asterisks (*
) to search for any number of the characters and periods (.
) to search for any type character.
uid=.*
, the certificate profile framework checks if the subject name in the certificate request matches the pattern. A subject name like uid=user, o=Example, c=US
satisfies the pattern uid=.*
. The subject name cn=user, o=example,c=US
does not satisfy the pattern. uid=.*
means the subject name must begin with the uid
attribute; the period-asterisk (.*
) wildcards allow any type and number of characters to follow uid
.
.*ou=Engineering.*
, which requires the ou=Engineering
attribute with any kind of string before and after it. This matches cn=jdoe,ou=internal,ou=west coast,ou=engineering,o="Example Corp",st=NC
as well as uid=bjensen,ou=engineering,dc=example,dc=com
.
|
) between the options. For example, to permit subject names that contain either ou=engineering,ou=people
or ou=engineering,o="Example Corp"
, the pattern is .*ou=engineering,ou=people.* | .*ou=engineering,o="Example Corp".*
.
Note
.
), escape the character with a back slash (\
). For example, to search for the string o="Example Inc."
, set the pattern to o="Example Inc\."
.
The pattern that is used to build the subject DN can also be based on the CN or UID of the person requesting the certificate. The Subject Name Constraint sets the patter of the CN (or UID) to recognize in the DN of the certificate request, and then the Subject Name Default builds on that CN to create the subject DN of the certificate, using a predefined directory tree.
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,DC=example, DC=com
B.2.12. Unique Key Constraint
Parameter | Description |
---|---|
allowSameKeyRenewal |
A request is considered a renewal and is accepted if this parameter is set to
true , if a public key is not unique, and if the subject DN matches an existing certificate. However, if the public key is a duplicate and does not match an existing Subject DN, the request is rejected.
When the parameter is set to
false , a duplicate public key request will be rejected.
|
B.2.13. Unique Subject Name Constraint
Parameter | Description |
---|---|
enableKeyUsageExtensionChecking | Optional setting which allows certificates to have the same subject name as long as their key usage settings are different. This is either true or false . The default is true , which allows duplicate subject names. |
B.2.14. CMC User-signed Subject Name Constraint
CMCUserSignedSubjectNameDefault
.
B.2.15. Validity Constraint
notBefore
parameter that provides a time which has already passed will not be accepted, and a notAfter
parameter that provides a time earlier than the notBefore
time will not be accepted.
Parameter | Description |
---|---|
range | The range of the validity period. This is an integer which sets the number of days. The difference (in days) between the notBefore time and the notAfter time must be less than the range value, or this constraint will be rejected. |
notBeforeCheck | Verifies that the range is not within the grace period. When the NotBeforeCheck Boolean parameter is set to true, the system will check the notBefore time is not greater than the current time plus the notBeforeGracePeriod value. If the notBeforeTime is not between the current time and the notBeforeGracePeriod value, this constraint will be rejected. |
notBeforeGracePeriod | The grace period (in seconds) after the notBefore time. If the notBeforeTime is not between the current time and the notBeforeGracePeriod value, this constraint will be rejected. This constraint is only checked if the notBeforeCheck parameter has been set to true. |
notAfterCheck | Verfies whether the given time is not after the expiration period. When the notAfterCheck Boolean parameter is set to true, the system will check the notAfter time is not greater than the current time. If the current time exceeds the notAfter time, this constraint will be rejected. |