543 # |
543 # |
544 # CAConstraint: |
544 # CAConstraint: |
545 # jdkCA |
545 # jdkCA |
546 # This constraint prohibits the specified algorithm only if the |
546 # This constraint prohibits the specified algorithm only if the |
547 # algorithm is used in a certificate chain that terminates at a marked |
547 # algorithm is used in a certificate chain that terminates at a marked |
548 # trust anchor in the lib/security/cacerts keystore. If the jdkCA |
548 # trust anchor in the lib/security/cacerts keystore. If the jdkCA |
549 # constraint is not set, then all chains using the specified algorithm |
549 # constraint is not set, then all chains using the specified algorithm |
550 # are restricted. jdkCA may only be used once in a DisabledAlgorithm |
550 # are restricted. jdkCA may only be used once in a DisabledAlgorithm |
551 # expression. |
551 # expression. |
552 # Example: To apply this constraint to SHA-1 certificates, include |
552 # Example: To apply this constraint to SHA-1 certificates, include |
553 # the following: "SHA1 jdkCA" |
553 # the following: "SHA1 jdkCA" |
554 # |
554 # |
555 # DenyAfterConstraint: |
555 # DenyAfterConstraint: |
556 # denyAfter YYYY-MM-DD |
556 # denyAfter YYYY-MM-DD |
557 # This constraint prohibits a certificate with the specified algorithm |
557 # This constraint prohibits a certificate with the specified algorithm |
558 # from being used after the date regardless of the certificate's |
558 # from being used after the date regardless of the certificate's |
559 # validity. JAR files that are signed and timestamped before the |
559 # validity. JAR files that are signed and timestamped before the |
560 # constraint date with certificates containing the disabled algorithm |
560 # constraint date with certificates containing the disabled algorithm |
561 # will not be restricted. The date is processed in the UTC timezone. |
561 # will not be restricted. The date is processed in the UTC timezone. |
562 # This constraint can only be used once in a DisabledAlgorithm |
562 # This constraint can only be used once in a DisabledAlgorithm |
563 # expression. |
563 # expression. |
564 # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, |
564 # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, |
565 # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" |
565 # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" |
566 # |
566 # |
567 # UsageConstraint: |
567 # UsageConstraint: |