SubjectAltNameExt Plug-in ModuleChapter 4 Certificate Extension Plug-in Modules 237SubjectAltNameExt RuleThe policy rule named SubjectAltNameExt is an instance of theSubjectAltNameExt module. Certificate Management System automaticallycreates this rule during installation. By default, the rule is configured as follows:• The rule is enabled.• The predicate expression is left blank so that the extension gets added to allcertificates the server issues. (PKIX and Federal PKI standards recommend thatCA certificates must have this extension and end-entity certificates shouldhave this extension.)• The extension is marked noncritical (to comply with the PKIXrecommendation).• The rule is configured to include at the most three alternative names in theextension (numGeneralNames=3).• The first alternative name is the value of the mail attribute in the certificatesubject’s directory entry (generalName0.requestAttr=AUTH_TOKEN.mail)and the name is in the rfc822Name format(generalName0.generalNameChoice=rfc822Name).• The second alternative name is the value of the mailalternateaddressattribute in the certificate subject’s directory entry(generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress) and thename is in the rfc822Name format(generalName1.generalNameChoice=rfc822Name).• The third alternative name is the value of an HTTP input parametercsrRequestorEmail included in the certificate request(generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail) and thename is in rfc822Name format(generalName2.generalNameChoice=rfc822Name).For details on individual parameters defined in the rule, see Table 4-26 onpage 235. You need to review this rule and make the changes appropriate for yourPKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules” inChapter 18, “Setting Up Policies” of CMS Installation and Setup Guide. Forinstructions on adding additional instances, see section “Step 4. Add New PolicyRules” in the same chapter.Before you edit the default rule, you should read the additional details about theattributes that are set in the default policy rule.