Extension-Specific Policy Module ReferenceChapter 11 Policies 539NameConstraintsExtThe NameConstraintsExt plug-in module enables you to add the Name ConstraintsExtension to certificates. The extension is used in CA certificates to indicate a namespace within which subject names or subject alternative names in subsequentcertificates in a certification path or chain should be located.For general information about this extension, see “nameConstraints” on page 764.During installation, CMS automatically creates an instance of the name constraintsextension policy, named NameConstraintsExt, that is disabled by default.decipherOnly Specifies whether to set the decipherOnly bit (or bit 8) of the key usage extensionin certificates specified by the predicate parameter.Permissible values: true, false, or HTTP_INPUT.• Select true if you want the server to set the bit (default).• Select false if you don’t want the server to set the bit.• Select HTTP_INPUT if you want the server to check the certificate request forthe HTTP input variable corresponding to the decipherOnly bit and set thebit accordingly. If the variable is set to true, the server sets the bit. If thevariable doesn’t exist or if it is set to false (or any other value), the serverdoesn’t set the bit.Table 11-29 NameConstraintsExt Configuration ParametersParameter Descriptionenable Specifies whether the rule is enabled or disabled. Select to enable, deselectto disable.predicate Specifies the predicate expression for this rule. If you want this rule to beapplied to all certificate requests, leave the field blank (default). To form apredicate expression, see section “Using Predicates in Policy Rules” inChapter 18, “Setting Up Policies” of CMS Administrator’s Guide.Example: HTTP_PARAMS.certType==cacritical Specifies whether the extension should be marked critical or noncritical.Select to mark critical (default), deselect to mark noncritical.Table 11-28 KeyUsageExt Configuration Parameters (Continued)Parameter Description