Policy constraints

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Policy constraints

Qualified subordinate certification authority (CA) policy constraints allow you to constrain the path validation of your certification hierarchy by:

• Defining how far below a qualified subordinate CA in your certification hierarchy that a policy is required.

• Defining how far below a subordinate CA in your certification hierarchy that policy mapping is permitted.

There are two policy constraint settings:

• Require explicit policy. Determines the maximum number of additional certificates that may appear below the qualified subordinate CA in the certification hierarchy before a policy is required.

• Inhibit policy mapping. Determines the maximum number of additional certificates that may appear below the qualified subordinate CA in the certification hierarchy before policy mapping is no longer permitted.

Policy constraints are set separately for issuance and application policies. The policy constraints for a qualified subordinate CA's issuance policies do not have to be the same as the Require explicit policy and Inhibit policy mapping settings for its application policies.

When defining policy constraints, the numbering system used begins with 0. For example, if a qualified subordinate CA policy has an inhibit policy mapping of 0, then that policy can only be mapped one level below the qualified subordinate CA in the trust hierarchy.

For more information, see Qualified subordination; Qualified subordination overview; Name constraints; Mapping policies between trust hierarchies; Policy qualifiers; and Certificate Templates.

Note

• Policy constraints cannot be specified in certificate templates, but must be specified in the information file (.inf) used to create the CA certificate that, in turn, is used to install the qualified subordinate CA.