_PKISERV_CMP_KEYTYPE_domain |
Specifies the key type or encryption algorithm
to be used to generate the key pair. PKI Services supports RSA, NISTECC and BPECC.Examples:_PKISERV_CMP_KEYTYPE_CardCA1=RSA
_PKISERV_CMP_KEYTYPE=BPECC
|
_PKISERV_CMP_KEYSIZE_domain |
A three- or four-digit number that specifies
the length of the key.- For RSA, minimum size is 512 (1024 if _PKISERV_CMP_SECUREKEY
is set), maximum size is 4096, and the default is 1024. The value
must be a multiple of two (256, if _PKISERV_CMP_SECUREKEY
is set).
- For NISTECC, valid sizes are 192, 224, 256, 384 and 521, and the
default is 192.
- For BPECC, valid sizes are 160, 192, 224, 256, 320, 384, 512,
and the default is 192.
Examples:_PKISERV_CMP_KEYSIZE_CardCA1=2048
_PKISERV_CMP_KEYSIZE=512
|
_PKISERV_CMP_SECUREKEY_domain |
Specifies whether to generate secure keys in
the TKDS. The value 1 specifies that secure keys are to be generated.
The value 0 specifies that clear keys are to be generated.If this
variable is not set, the profile protecting the CLEARKEY resource
in the CRYPTOZ class determines whether the key generated is a secure
key or a clear key. If the profile allows clear key generation, the
generated key is a clear key. If the profile restricts clear key generation,
the generated key is a secure key. For example, the following command
creates a profile that prevents the generation of clear keys from
any of the CMP clients: RDEF CRYPTOZ CLEARKEY.SYSTOK-SESSION-ONLY UACC(NONE)
In
this case, AES256 is used to envelop the private key.
|
_PKISERV_CMP_SECUREKEY_KEYENCALG_dom |
Specifies the algorithm to envelop the private
key. Valid values are AES256, AES128,
and TDES. If not set, it defaults to AES256.
This variable is ignored if _PKISERV_CMP_SECUREKEY_domain is
not set. |
_PKISERV_CMP_HONOR_CLIENT_DATES_dom |
Specifies whether to honor client-specified
certificate validity dates. Valid values are 0 and 1. The value
1 specifies that PKI Services uses start and end dates specified in
the validity field of the certificate request. If validity dates are
not specified, PKI Services uses the values in the environment variables
_PKISERV_CMP_NOTBEFORE_domain and _PKISERV_CMP_NOTAFTER_domain.
If either the start date or the end date is specified and the other
is not specified, PKI Services uses the value set by the corresponding
environment variable for the unspecified value.
The value 0,
or the absence of this variable, indicates that PKI Services is to
use the values in the environment variables _PKISERV_CMP_NOTBEFORE_domain and
_PKISERV_CMP_NOTAFTER_domain. If the client specifies
either a start or end date in the validity field of a cr message
when the value of this variable is 0 or absent, PKI Services rejects
the request.
Examples:_PKISERV_CMP_HONOR_CLIENT_DATES_CardCA1=1
_PKISERV_CMP_HONOR_CLIENT_DATES=0
|
_PKISERV_CMP_NOTBEFORE_domain |
Specifies the number of days from day of issue
to when the certificate becomes valid. Valid values are 0 - 30 days.
The default is 0, specifying that the certificate is valid from the
start of the current day.Examples:_PKISERV_CMP_NOTBEFORE_CardCA1=7
_PKISERV_CMP_NOTBEFORE=5
|
_PKISERV_CMP_NOTAFTER_domain |
Specifies the number of days from today’s date
to when the certificate expires. Valid values are 1 - 9999. The default
is 365. The value 1 specifies that the certificate is valid until
the end of the current day.Examples:_PKISERV_CMP_NOTAFTER_CardCA1=1825
_PKISERV_CMP_NOTAFTER=1580
|
_PKISERV_CMP_HONOR_CLIENT_EXTS_domain |
Specifies whether to honor the client-specified
extensions Subject Alternate Name, Keyusage and Extended keyusage.
Valid values are 0 and 1. The value 1 specifies that PKI Services
uses the extensions Subject Alternate Name, Keyusage and Extended
keyusage from the request.
The value 0, or the absence of this
variable, specifies that PKI Services is to use the extensions Keyusage
and Extended keyusage from the environment variables _PKISERV_CMP_KEYUSAGE_domain and
_PKISERV_CMP_EXTKEYUSAGE_domain. If the client
specifies the extensions field of a cr message or
the attributes field of a p10cr message when the
value of this variable is 0 or absent, PKI Services rejects the request.
Examples:_PKISERV_CMP_HONOR_CLIENT_EXTS_CardCA1=1
_PKISERV_CMP_HONOR_CLIENT_EXTS=0
|
_PKISERV_CMP_KEYUSAGE_domain |
Blank-separated character strings defining the
key usage to be added to requested certificates. Valid values are: handshake, dataencrypt, certsign, docsign, digitalsignature, digitalsig, nonrepudiation, keyencipherment, keyenciph, keyencrypt, dataencipherment, dataenciph, keyagreement, keyagree, keycertsign,
and crlsign. The values are not case-sensitive. No
default value.Examples:_PKISERV_CMP_KEYUSAGE_CardCA1=digitalsig keyencrypt
_PKISERV_CMP_KEYUSAGE=handshake
|
_PKISERV_CMP_EXTKEYUSAGE_domain |
Blank-separated character strings defining the
extended key usage to be added to requested certificates. Valid values
are: serverauth, clientauth, codesigning, emailprotection, timestamping, ocspsigning,
and mssmartcardlogon. The values are not case-sensitive.
No default value.Examples:_PKISERV_CMP_EXTKEYUSAGE_CardCA1=clientauth
_PKISERV_CMP_EXTKEYUSAGE=serverauth
|
_PKISERV_CMP_AUTHINFOACC_domain |
Deprecated. Use _PKISERV_CMP_AUTHINFOACCn_domain instead.
Ignored if you specify _PKISERV_CMP_AUTHINFOACCn_domain. A
comma-separated two-part string specifying information used to create
the AuthorityInfoAccess extension. The two-part string
identifies the accessMethod and accessLocation.
The accessMethod is either OCSP or IdentrusOCSP (case-insensitive).
The accessLocation is a URI in the form URI=access-url or URL=access-url.
The access-url must be an HTTP protocol. No default
value.
Examples: _PKISERV_CMP_AUTHINFOACC_CardCA1=OCSP,
URL=http://www.widgets.com/CardCA1/public-cgi/caocsp
_PKISERV_CMP_AUTHINFOACC=OCSP,
URI=http://www.widgets.com/PKIServ/public-cgi/caocsp
|
_PKISERV_CMP_AUTHINFOACCn_domain |
Specifies one or more AuthorityInfoAccess extensions
in the form of a comma-separated two-part string. The two-part string
identifies the accessMethod and accessLocation.
The accessMethod is either OCSP or IdentrusOCSP (case-insensitive).
The accessLocation is a URI in the form URI=access-url or URL=access-url.
The access-url must be an HTTP protocol. No default
value. There can be multiple entries, where n is
1 for the first AuthorityInfoAccess extension and
increases sequentially for additional entries.Examples: _PKISERV_CMP_AUTHINFOACC1_CardCA1=OCSP,
URL=http://www.widgets.com/CardCA1/public-cgi/caocsp
_PKISERV_CMP_AUTHINFOACC2_CardCA1=OCSP,
URI=http://www.widgets.com/PKIServ/public-cgi/caocsp
|
_PKISERV_CMP_CERTPOLICIES_domain |
Specifies the certificate policies that are
to be included in the issued certificates. The value is a set of numbers,
separated by blanks, each representing one of the PolicyName values
specified in the CertPolicy section of the PKI Services configuration
file. Valid values are 1 - 99. No default value.Examples:_PKISERV_CMP_CERTPOLICIES_CardCA1=1 2 3
_PKISERV_CMP_CERTPOLICIES=1 4
|
_PKISERV_CMP_CUSTOMEXTn_domain |
Specifies one or more custom extensions in the
form of a comma-separated four-part string as indicated in the CustomExt
field in the GENCERT CertPlist. There can be multiple entries, where n is
1 for the first custom extension and increases sequentially for additional
entries.Example:_PKISERV_CMP_CUSTOMEXT1_CardCA1=1.3.6.1.4.1.311.20.2,
N,BMP,myDomainController
|