Extension-Specific Policy Module ReferenceChapter 11 Policies 519CertificateScopeOfUseExtThe CertificateScopeOfUseExt plug-in module enables you to add the CertificateScope of Use Extension to certificates. The extension enables you to specify a list ofweb sites that may request the use of a particular certificate for SSL clientauthentication, thus aiding certificate-using applications to select certificates topresent to web sites and to control release of these certificates.relativeEndTime Specifies the last opportunity for automatic renewal of the certificate that containsthis extension. Specifying a value for this parameter is optional; if you leave thefield blank, the certificate-using application is expected to use the expiration date(notAfter value) in the certificate.Permissible values: 0 or n.• 0 specifies that the renewal window ends at the same time the certificateexpires; the endTime field of the extension will be set to the time thecertificate expires.• n specifies a past or future time, in seconds, by which the certificate must berenewed; the endTime field of the extension will be set to the specified timesince certificate issuance. You can specify the time period in seconds, minutes,hours, days, or months. Use the following suffixes to indicate the time unit.s - secondsm - minutesh - hoursD - daysM - monthsFor example, if you’re issuing certificates with a validity period of two years andwant the renewal window to end a month after the certificates expire, and want tospecify the interval in months, you would enter 25M in this field. On the otherhand, if you want the renewal window to end 15 days before certificates expire,then you would set the value to 705D ((23 months x 30 days) + 15 days).Note that if you choose to extend the renewal window after the expiration date ofthe certificate itself, your CA must maintain appropriate status information aboutthe certificate during that window in order to allow appropriate authentication inthe renewal process. (Automatic renewal may take place after the certificate hasexpired, when it is not valid for other purposes.)Example: 705DTable 11-19 CertificateRenewalWindowExt Configuration Parameters (Continued)Parameter Description
