3.11.21. TLS_PolicyOID Previous topic Parent topic Child topic Next topic

When a TLS peer presents a certificate, this optional parameter enables the certificate policy checking and specifies one or more policy OIDs that must be present in the certificate path. It sets the 'require explicit policy' flag as defined in RFC3280. Using this parameter requires Perl Net::SSLeay 1.37 module or later. This parameter may be used for additional certificate validity checks, for example, with RadSec.
When multiple TLS_PolicyOID parameters are configured, the peer certificate needs to match only one of the configured OIDs, not all of them.
# Require just one policy
TLS_PolicyOID 1.3.6.1.4.1.9048.33.2