InvalidityDate RuleChapter 7 CRL Extension Plug-in Modules 289InvalidityDate RuleThe InvalidityDate rule enables you to configure a Certificate Manager to set theInvalidity Date Extension defined in X.509 and PKIX standard RFC 2459 (seehttp://www.ietf.org/rfc/rfc2459.txt) in CRLs. The extension is a non-criticalCRL entry extension that is used to specify the date on which it is known orsuspected that the private key was compromised or that the certificate otherwisebecame invalid.For general guidelines on setting the invalidity date extension in CRL entries, see“invalidityDate” on page 366.Table 7-6 Description of parameters defined in the HoldInstruction ruleParameter Descriptionenable Specifies whether the rule is enabled or disabled. Check the box to enable the rule.Uncheck the box to disable the rule (default).• If you enable the rule and set the remaining parameters correctly, the server setsthe Hold Instruction extension in CRLs.• If you disable the rule, the server does not add the extension to CRLs; it ignoresthe values in the remaining fields.critical Specifies whether the extension should be marked critical or noncritical in CRLsissued by the server. Check the box if you want the server to mark the extensioncritical. Uncheck the box if you want the server to mark the extension noncritical(default).instruction Specifies the action a validating application must take when it encounters a certificatethat has been put on hold.Permissible values: none, callissuer, or reject.• none specifies that the validating application need not do anything; the PKIXstandard says that this is semantically equivalent to the absence of aholdInstructionCode (default).• callissuer specifies that the validating application must call the CA that hasissued the certificate or reject the certificate.• reject specifies that the validating application must reject the certificate onhold.Example: none