PrivateKeyUsagePeriodExt Plug-in Module228 Netscape Certificate Management System Plug-Ins Guide • March 2002PolicyMappingsExt RuleThe rule named PolicyMappingsExt is an instance of the PolicyMappingsExtmodule. Certificate Management System automatically creates this rule duringinstallation. By default, the rule is configured as follows:• The rule is enabled.• The predicate expression is set (predicate=HTTP_PARAMS.certType==ca) sothat the extension gets added to CA certificates only.• The extension is marked noncritical (to comply with the PKIXrecommendation).• The number of policy mappings is set to 1 (numPolicyMappings=1) indicatingthat a pair of policies are to be mapped.• The fields for entering the OIDs for policies that are to be mapped are left blankfor you to enter the appropriate values.For details on individual parameters defined in the rule, see Table 4-23 onpage 226. You need to review this rule and make the changes appropriate for yourPKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules” inChapter 18, “Setting Up Policies” of CMS Installation and Setup Guide. Forinstructions on adding additional instances, see section “Step 4. Add New PolicyRules” in the same chapter.PrivateKeyUsagePeriodExt Plug-in ModuleThe PrivateKeyUsagePeriodExt plug-in module implements the private keyusage period extension policy. This policy enables you to configure CertificateManagement System to add the Private Key Usage Period Extension defined in X.509and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) tocertificates. The extension allows the certificate issuer to specify a different validityperiod for the private key than the one specified for the corresponding certificate.The extension is intended for use with digital signature keys.The PKIX standard recommends against the use of this extension. The standardalso recommends that CAs conforming to the standard must not generatecertificates with private key usage period extensions that are marked critical. Forgeneral guidelines on setting this extension in certificates, see“privateKeyUsagePeriod” on page 353.