PolicyConstraintsExt Plug-in ModuleChapter 4 Certificate Extension Plug-in Modules 221PolicyConstraintsExt Plug-in ModuleThe PolicyConstraintsExt plug-in module implements the policy constraintsextension policy. This policy enables you to configure Certificate ManagementSystem to add the Policy Constraints Extension defined in X.509 and PKIX standardRFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) to certificates. Theextension, which can be used in CA certificates only, constrains path validation intwo ways—either to prohibit policy mapping or to require that each certificate in apath contain an acceptable policy identifier.The policy constraints extension policy in Certificate Management System allowssetting of the policy constraints extension as defined in its X.509 definition. Thepolicy allows you to specify both, requireExplicitPolicy andinhibitPolicyMapping fields. PKIX standard requires that, if present in a CAcertificate, the extension must never consist of a null sequence. At least one of thetwo specified fields must be present. Before configuring the server to add thepolicy constraints extension to certificates, read the general guidelines provided in“policyConstraints” on page 352.During installation, Certificate Management System automatically creates aninstance of the policy constraints extension policy. See “PolicyConstraintsExt Rule”on page 224.Configuration Parameters ofPolicyConstraintsExtIn the CMS configuration file, the PolicyConstraintsExt module is identified asca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.PolicyConstraintsExt.In the CMS window, the module is identified as PolicyConstraintsExt. Figure4-23 shows how the configurable parameters for the module are displayed in theCMS window.