Constraints-Specific Policy Module ReferenceChapter 11 Policies 501RenewalConstraintsThe RenewalConstraints plug-in module imposes constraints on renewal ofexpired certificates—it allows or restricts the server from renewing expiredcertificates. You may apply this policy to end-entity certificate renewal requests.During installation, CMS automatically creates an instance of the renewalconstraints policy, named RenewalConstraintsRule, that is enabled by default.Table 11-7 describes the configuration parameters of the RenewalConstraintspolicy.RenewalValidityConstraintsThe RenewalValidityConstraints plug-in module governs the formulation ofcontent in the renewed certificate based on the currently issued certificate.algorithms Specifies the key type the server should certify. The default is RSA.Permissible values: RSA or RSA.Table 11-7 RenewalConstraints Configuration ParametersParameter Descriptionenable Specifies whether the rule is enabled or disabled. Select to enable the rule(default). Deselect to disable the rule.predicate Specifies the predicate expression for this rule. If you want this rule to be appliedto all certificate requests, leave the field blank (default). To form a predicateexpression, see “Using Predicates in Policy Rules” on page 485.allowExpiredCerts Specifies whether to allow or prevent renewal of expired certificates. Select if youwant the server to renew expired certificates (default). Deselect if you don’t wantthe server to renew expired certificates.renewalNotAfter Specifies how long, in days, after the expiration of a certificate can it be renewed.The default value is 30 days. If you leave the field blank, the server will renew allexpired certificates that are submitted for renewal.Table 11-6 KeyAlgorithmConstraints Configuration Parameters (Continued)Parameter Description
