OCSPNoCheckExt Plug-in ModuleChapter 4 Certificate Extension Plug-in Modules 221OCSPNoCheckExt RuleThe policy rule named OCSPNoCheckExt is an instance of the OCSPNoCheckExtmodule. Certificate Management System automatically creates this rule duringinstallation. By default, the rule is configured as follows:• The rule is enabled.• The predicate expression is set(predicate=HTTP_PARAMS.certType==ocspResponder) so that the extensiongets added to OCSP responder certificates only.• The extension is marked noncritical (to comply with the PKIXrecommendation).For details on individual parameters defined in the rule, see Table 4-21 onpage 221. You need to review this rule and make the changes appropriate for yourPKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules” inChapter 18, “Setting Up Policies” of CMS Installation and Setup Guide. Forinstructions on adding additional instances, see section “Step 4. Add New PolicyRules” in the same chapter.Table 4-21 Description of parameters defined in the OCSPNoCheckExt moduleParameter Descriptionenable Specifies whether the rule is enabled or disabled. Check the box to enable the rule(default). Uncheck the box to disable the rule.• If you enable the rule and set the remaining parameters correctly, the server addsthe OCSP no check extension to certificates specified by the predicateparameter.• If you disable the rule, the server does not add the extension to certificates; itignores the values in the remaining fields.predicate Specifies the predicate expression for this rule. If you want this rule to be applied toall certificate requests, leave the field blank (default). To form a predicate expression,see section “Using Predicates in Policy Rules” in Chapter 18, “Setting Up Policies” ofCMS Installation and Setup Guide.Example: HTTP_PARAMS.certType==ocspRespondercritical Specifies whether the extension should be marked critical or noncritical in certificatesspecified by the predicate parameter. Check the box if you want the server to markthe extension critical. Uncheck the box if you want the server to mark the extensionnoncritical (default).