Certificate fields |
|
|
Certificate fields related to Subject's Distinguished
NameNote: - The values for these fields are the relative distinguished names
(RDNs) that are saved in the subject's distinguished name (DN) in
the certificate.
- For a server certificate, a base64-encoded PKCS #10 certificate
request is required. If you specify one or more of these fields, the
subject's distinguished name supplied in the PKCS #10 certificate
request is ignored and only the fields you specify are in effect.
For example, suppose that the subject's distinguished name specified
in the PKCS #10 certificate request contains three RDNs - common name,
organizational unit, and country. If you specify a value for organizational
unit, you must also specify values for common name and country, even
though you aren't changing them. If you don't, these two RDNs have
no values.
|
Business Category |
The business category. This field is a text
field of up to 64 characters. This field is intended for use in
Extended Validation (EV) certificates.
|
Common name |
Your name, such as John Smith. (You can use
your first and last name, in that order.) This is a text field of
up to 64 characters. For SSL servers, the common name is the server's
fully qualified domain name, for example, www.ibm.com.
|
Country |
The country where your organization is located.
This is a 2-character text field. |
Distinguished name qualifier |
Specifies information to add to the subject
distinguished name of an entry to make it unambiguous. |
Domain component |
One component of a domain name associated with
the subject distinguished name. For example, the domain name www.ibm.com
is represented by 3 components: www, ibm and com. |
E-mail address |
E-mail address with attribute EMAIL for the
distinguished name. This is a text field of up to 64 characters. |
Jurisdiction Country |
The jurisdiction of incorporation country name.
This field is a two-character text field. This field is intended
for use in Extended Validation (EV) certificates.
|
Jurisdiction Location |
The jurisdiction of incorporation locality name.
This field is a text field of up to 64 characters. This field is
intended for use in Extended Validation (EV) certificates.
|
Jurisdiction State or Province |
The jurisdiction of incorporation state or province
name. This field is a text field of up to 64 characters. This field
is intended for use in Extended Validation (EV) certificates.
|
Locality |
The city or municipality where your organization
is located, such as Pittsburgh or Paris. This is a text field of up
to 64 characters. |
Mail |
E-mail address with attribute MAIL for the distinguished
name. This is a text field of up to 64 characters. Restriction: If
you specify a value for this parameter and for Notification
e-mail address, the two values must be the same.
|
Organization |
The legally registered name (or trademark name,
for example, IBM®) of your organization.
This is a text field of up to 64 characters. |
Organizational unit |
The name of your division or department. (There
can be more than one organizational unit field on a request form.
For example, one could be for your department and another for your
division.) This is a text field of up to 64 characters. |
Postal code |
Your postal code or zip code. This is a text
field of up to 64 characters. |
Serial number |
Serial number of the subject device. This is
a text field of up to 64 characters. |
State or Province |
The state or province where your organization
is located. Your registration policies determine whether you spell
out the full name of the state or province or use an abbreviation.
This is a text field of up to 64 characters. |
Street |
Your street address. This is a text field of
up to 64 characters. |
Title |
Your job title. This is a text field of up to
64 characters. |
Unstructured address |
The unstructured address of the subject device. |
Unstructured name |
The unstructured name of the subject device. |
User ID |
The system login name associated with the subject
distinguished name. |
Certificate fields related to validity period |
|
Not after (date) |
A number of days, added to the current date,
after which the certificate expires. By default, you can select either
one year or two years for the time at which the certificate expires. |
Not before (date) |
A number of days, added to the current date
(by default, you can select either 0 or 30),
before which the certificate is not valid. |
Certificate fields related to extensions |
|
Alternate domain name |
Domain name for alternate name. This is the
host name of the machine where a certificate will be installed. This
is a text field of up to 100 characters. Note: The value is one of
the list of subject's alternate names that is saved in the subject
alternate name extension in the certificate.
|
Alternate e-mail address |
E-mail address for alternate name, including
the @ character and any periods (.). This is a text
field of up to 100 characters. Note: The value is one of the list
of subject's alternate names that is saved in the subject alternate
name extension in the certificate.
|
Alternate IP address |
The IP address for the alternate name. This
unique IP address specifies the location of each device or workstation
on the Internet. PKI Services supports
both IP version 4 and IP version 6 addresses. The IP address is a
text field of up to 45 characters:- For IP version 4, the IP address is in dotted decimal format;
for example, 9.67.97.103.
- For IP version 6, the IP address is divided into eight 16-bit
hexadecimal blocks separated by colons. Leading zeros in each 16-bit
field are optional, and successive fields of zeros can be represented
by double colons, but only once; for example 1:2::3:4 is
equivalent to 0001:0002:0000:0000:0000:0000:0003:0004.
- In a mixed IP version 4 and IP version 6 environment, the IP address
can be expressed in the format x:x:x:x:x:x:d.d.d.d, where
the x values are the hexadecimal values of the
six high-order 16-bit pieces of the address, and the d values
are the decimal values of the four low-order 8-bit pieces of the address
in standard IP version 4 representation; for example, 0:0:0:0:0:ABCD:1.2.3.4,
or the equivalent value ::ABCD:1.2.3.4
Note: The value is one of the list of subject's alternate names
that is saved in the subject alternate name extension in the certificate.
|
Alternate other name |
Additional identifier for the alternate name.
See your PKI Services administrator for information about this field. |
Alternate uniform resource identifier (URI) |
Uniform resource identifier for the alternate
name. This is a name or address referring to an Internet resource;
a URL is one kind of uniform resource identifier. This is a text field
of up to 100 characters. Note: The value is one of the list of subject's
alternate names that is saved in the subject alternate name extension
in the certificate.
|
Extended key usage |
This indicates the intended purpose of the certificate.
Possible values are:- clientauth
- Client side authentication
- codesigning
- Code signing
- emailprotection
- Email protection
- mssmartcardlogon
- Smart card logon for Microsoft Windows users
- ocspsigning
- OCSP response signing
- serverauth
- Server side authentication
- timestamping
- Digital timestamping
|
HostIdMapping |
This is the user ID for authorization purposes
in the format: subject-id@host-name Example: DSmith@ibm.com
This is a text field of up to 100 characters.
|
Key usage |
The intended purpose of the certificate. Each
possible value is shown in Table 2 with its intended purpose and possible PKIX bits. |
Base64-encoded PKCS #10 certificate request |
|
Base64-encoded PKCS #10 certificate request |
(This is for server or device enrollment only.)
You create a certificate request on behalf of another server (which
could be a z/OS server
or other type of server) or device for which you are requesting a
certificate. You use software specific to that server to generate
the PKCS #10 request before going to the PKI Services Web site.
Save the request in a file. Then open the file in a text editor such
as Windows Notepad and copy
and paste the contents into the text box on the enrollment form. A
text area of 70 columns and 12 rows is allocated for this certificate
request. Here is an example of the certificate request: -----BEGIN NEW CERTIFICATE REQUEST-----
MIIBiDCB8gIBADAZMRcwFQYDVQQDEw5Kb2huIFEuIFB1YmxpYzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAsCT1cJHAGPqi6OjAyL+xNbt8z5ngmvqO2V0O3oYu
/mEnQtRM96e+2jbmDCRo5tWVklG4OYf9ZVB5biURMJFLztfa4AVdEVtun8DH2pwc
wiNIZZcC1Zym5adurUmyDk64PgiiIPMQS/t0ttG4c5U8uWSK0b1J4V4f7ps+t1aG
t+cCAwEAAaAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0OBBYEFAlKTovBBvnFqDAO
1oIhtRinwRC9MA0GCSqGSIb3DQEBBQUAA4GBAIbCVpwYvppIX3HHmpKZPNY8Snsz
AJrDsgAEH51WOIRGywhqKcLLxa9htoQai6cdc8RpFVTwk6UfdCOGxMn4aFb34Tk3
5WYdzOiHXg8MhHiB3EruwdWs+S7Fv3JhU3FLwU6lFLfAjbVi+35iEWQymOR6mE5W
CathprmGfKRsDE5E
-----END NEW CERTIFICATE REQUEST-----
For a sample of
the enrollment form showing the text box for a PKCS #10 request, see Figure 2.
|
PKI Services internal use fields |
|
Challenge passphrase |
This is the passphrase you entered when requesting
a certificate. You type the same passphrase, exactly as you typed
it on the request form. This is a case-sensitive text field of up
to 32 characters. |
KeySize |
The size of the key pair (public key and private
key) that you want PKI Services to generate for you. |
Label |
The label assigned to the requested certificate.
This is a text field of up to 32 characters. This field applies only
to SAF certificates. |
Notification e-mail address |
E-mail address for notification purposes. This
is a text field of up to 64 characters. Note: If you specify a value
for this parameter and for Mail, the two values must be
the same.
|
Passphrase |
You decide this value when requesting a certificate
(and must later supply this value when retrieving the certificate).
You enter and then reenter this when requesting a certificate. This
is a case-sensitive text field of up to 32 characters. (There is no
minimum number of characters, and you can use any characters, but
alphanumeric characters (A–Z, a–z,
and 0–9) are suggested. |
Requestor's name |
Your name (for tracking purposes). This can
be in any format, for example, John Smith or John. J. Smith. This
is a text field of up to 32 characters. Note: For a PKI generated key
certificate, the requestor name needs to be in the form of an e-mail
address.
|
Transaction ID |
This is assigned after you request your certificate.
When it is displayed, you need to record this number. This is a text
field of up to 56 characters. |
Browser-specific fields |
|
Cryptographic service provider |
(This is for the Internet Explorer browser only.)
The cryptographic service provider to generate your public/private
key pair. You select a value from the drop-down list. Larger keys
are more secure, but they also increase the time that is needed for
connecting to a secure session. |
Key protection |
(This is for the Internet Explorer browser only.) This
asks if you want to enable private key protection. (The drop-down
choices are Yes and No.) |
Key size |
(This is for Mozilla-based browsers only.) This
is the key size for your public/private key pair. Select a value from
the drop-down list. Larger keys are more secure, but they also increase
the time needed for connecting to a secure session. |