After a discussion with Chandra, Andrew : Current "profile framework" does not provide the control to modify http_params to filter cert types like "HTTP_PARAMS.certType==client" . which used to be possible earlier with "policy framework"[1] Reference: [1] http://docs.sun.com/source/816-5531-10/poli_int.htm#1227500 [2] http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Publishing-Rules.html#Administration_Guide-Modifying_Publishing_Rules_for_Certificates_and_CRLs-Predicates_Used_in_Publishing_Rules