Constraints-Specific Policy Module ReferenceChapter 11 Policies 499IssuerConstraintsThe IssuerConstraints plug-in module enables you to effectively deploycertificate-based enrollment explained in “Certificate-Based Enrollment” onpage 409.The policy enables the Certificate Manager to authenticate an end user by checkingthe issuer DN of the CA that has issued the certificate the user presents as anenrollment token during enrollment. Note that in the current implementation, theCA that issues the new certificates must be the same as the one that has issued thecertificates used for SSL client authentication; that is, the issuer DN in theauthentication certificate must match the issuer DN specified in the policyconfiguration.During installation, CMS automatically creates an instance of the issuer constraintspolicy, named IssuerRule, that is disabled by default.Table 11-5 describes the configuration parameters of the IssuerConstraintspolicy.minSize Specifies the minimum length, in bits, for the key (the length of the modulus in bits).The value must be smaller than or equal to the one specified by the maxSizeparameter. Permissible values: 512 or 1024. You may also enter a custom key sizethat is between 512 and 1024, in increments of 64 bits. The default value is 512.maxSize Specifies the maximum length, in bits, for the key. Permissible values: 512 or 1024.You may also enter a custom key size that is between 512 and 1024, in increments of64 bits. The default value is 1024.exponents Limits the possible public exponent values. Use commas to separate different values.Some exponents are more widely used than others. The following exponent valuesare recommended for arithmetic and security reasons: 17 and 65537. Of these twovalues, 65537 is preferred. (This setting is mainly an issue if you are using your ownsoftware for generating key pairs. Key-generation programs in Netscape clients andservers use 3 or 65537.)Permissible values: A combination of 3, 7, 17, and 65537, separated by commas. Thedefault value is 3,7,17,65537.Table 11-4 DSAKeyConstraints Configuration Parameters (Continued)Parameter Description
