NameConstraintsExt Plug-in ModuleChapter 4 Certificate Extension Plug-in Modules 199CRLSignCertKeyUsageExtThe policy rule named CrlSignCertKeyUsageExt is an instance of theKeyUsageExt module. This rule is for setting the appropriate key-usage bits in aCRL signing certificate. By default, the rule is configured as follows:• The rule is enabled.• The predicate expression(predicate=HTTP_PARAMS.certType==caCrlSigning) ensures that the rule isapplied to only CRL signing certificate requests.• The server is configured to set the cRLSign bit in CRL signing certificates.NameConstraintsExt Plug-in ModuleThe NameConstraintsExt plug-in module implements the name constraintsextension policy. This policy enables you to configure Certificate ManagementSystem to add the Name Constraints Extension defined in X.509 and PKIX standardRFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) to certificates. Theextension is used in CA certificates to indicate a name space within which subjectnames or subject alternative names in subsequent certificates in a certification pathor chain should be located.Various standards describe how the name constraints extension should beprocessed during certificate verification. It’s beyond the scope of this document toexplain this. For general guidelines on setting the name constraints extension incertificates, see “nameConstraints” on page 350.The policy implemented in Certificate Management System allows setting of thename constraints extension in any form as defined in its X.509 definition; the policyenables you to specify the number of subtrees permitted and excluded in theextension. It is up to applications to process the extension as described in thestandards.During installation, Certificate Management System automatically creates aninstance of the name constraints extension policy. See “NameConstraintsExt Rule”on page 207.