CertificatePoliciesExt Plug-in Module148 Netscape Certificate Management System Plug-Ins Guide • March 2002• The path length field (maxPathLen) is left blank so that it defaults to a valuethat is determined by the path length set on the Basic Constraints extension inthe issuer’s certificate.For details on individual parameters defined in the rule, see Table 4-4 on page 146.You need to review this rule and make the changes appropriate for your PKI setup.For instructions, see section “Step 2. Modify Existing Policy Rules” in Chapter 18,“Setting Up Policies” of CMS Installation and Setup Guide. For instructions onadding additional instances, see section “Step 4. Add New Policy Rules” in thesame chapter.CertificatePoliciesExt Plug-in ModuleThe CertificatePoliciesExt plug-in module implements the certificate policiesextension policy. This policy enables you to configure Certificate ManagementSystem to add the Certificate Policies Extension defined in X.509 and PKIX standardRFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in certificates. Theextension contains a sequence of one or more policy statements, each indicating thepolicy under which the certificate has been issued and identifying the purposes forwhich the certificate may be used. Presence of this extension in certificates enablesan application with specific policy requirements to compare its list of policies to theones contained in a certificate during its validation; typically, such applicationswill have a list of policies (which they will accept) and compare the policies in thecertificate to their list as a part validating the certificate.To promote interoperatability, the PKIX standard recommends that the policystatements or information terms should be included in certificates in the form ofobject identifiers (OIDs). For more information on OIDs, see Appendix B, “ObjectIdentifiers.” This means, in order for the server to add this extension to anycertificate it issues, you need to compose policy statements you want to include inthe extension, define OIDs for these policy statements, and configure the serverwith these OIDs.When determining whether to add this extension to certificates, keep in mind thatif the extension exists in a certificate and if it is marked critical, the applicationvalidating the certificate must be able to interpret the extension (including theoptional qualifiers, if any), or else it must reject the certificate. For generalguidelines on setting the certificate policies extension, see “certificatePolicies” onpage 342.