Configuring the Certificate Manager120 Netscape Certificate Management System Administrator’s Guide • June 2003Changing the Certificate Issuance RulesYou can change some of the rules about certificate issuance that were eitherdetermined during installation, or are the system defaults. These include:• Whether certificates can be issued that are for validity periods longer than theCertificate Managers CA signing certificate, the default is to not allow.• The serial number range the CA is able to use to issue certificates.• The signing algorithm used to sign certificates.To change the certificate issuance rules:1. In the CMS window, select the Configuration tab.2. In the navigation tree, select Certificate Manager.The General Setting tab appears.3. Change the following fields in this tab:Override validity nesting requirement. Specifies if the Certificate Managercan issue certificates with validity periods beyond that of its CA signingcertificate.If deselected and the Certificate Manager (CA) receives a request with validityperiod extending beyond that of its CA signing certificate, it automaticallytruncates the validity period to end on the day the CA signing certificateexpires.Validity periods of certificates during enrollment is determined by theValidityConstraints plug-in module, “ValidityConstraints,” on page 506.Similarly, validity periods of certificates during renewal is determined by theRenewalValidityConstraints plug-in module, see“RenewalValidityConstraints,” on page 499.Certificate Serial Number. Specifies the serial number range for certificatesissued by this Certificate Manager. The server assigns the serial number youenter in the “Next serial number” to the next certificate it issues and thenumber you enter in the “Ending serial number” to the last certificate it issues.The serial number range enables you to deploy multiple CAs, balancing thenumber of certificates each CA issues. Note that the combination of an issuername and a serial number uniquely identifies a certificate. To ensure that twodistinct certificates issued by the same authority doesn’t contain the same serialnumber, make sure the serial number range does not overlap among clonedCAs.