AltDomain |
The host name of the machine where a certificate
will be installed. This is a text field of up to 100 characters. The
field can be repeated. Note: The value is one of the list of subject's
alternate names that is saved in the subject alternate name extension
in the certificate.
|
AltEmail |
The user's e-mail address, including the @ character
and any periods (.). This is a text field of up to
100 characters. The field can be repeated. Note: The value is one of
the list of subject's alternate names that is saved in the subject
alternate name extension in the certificate.
|
AltIPAddr |
The unique IP address that specifies the location
of the server or device on the Internet. The field can be repeated. PKI Services supports
both IP version 4 and IP version 6 addresses. The IP address is a
text field of up to 45 characters.- For IP version 4, the IP address is in dotted decimal format;
for example, 9.67.97.103.
- For IP version 6, the IP address is divided into eight 16-bit
hexadecimal blocks separated by colons. Leading zeros in each 16-bit
field are optional, and successive fields of zeros can be represented
by double colons, but only once; for example 1:2::3:4 is
equivalent to 0001:0002:0000:0000:0000:0000:0003:0004.
- In a mixed IP version 4 and IP version 6 environment, the IP address
can be expressed in the format x:x:x:x:x:x:d.d.d.d, where
the x values are the hexadecimal values of the
six high-order 16-bit pieces of the address, and the d values
are the decimal values of the four low-order 8-bit pieces of the address
in standard IP version 4 representation; for example, 0:0:0:0:0:ABCD:1.2.3.4,
or the equivalent value ::ABCD:1.2.3.4
Note: The value is one of the list of subject's alternate names
that is saved in the subject alternate name extension in the certificate.
|
AltOther 1 |
A free form value for the other name of the
subject's alternate name. Unlike the other INSERTs, you must customize
it before you use it. The name of this INSERT consists of the string AltOther,
concatenated with an underscore (_), then followed
by the OID, specified in the following format: AltOther_1_2_3_4_5.
(See Customizing the OtherName field.) You can have more than one
input field but the total length of these fields together with the
length of the OID and the comma cannot exceed 255 bytes. The resulting
AltOther field is built by concatenating the dotted-decimal OID that
matches the INSERT name, a comma, and the value of the input field.
This is a text field of up to 255 characters.
Note: The value is
one of the list of subject's alternate names that is saved in the
subject alternate name extension in the certificate.
|
AltURI |
A name or address referring to an Internet resource;
a URL is one kind of uniform resource identifier. This is a text field
of up to 100 characters. The field can be repeated. Note: The value
is one of the list of subject's alternate names that is saved in the
subject alternate name extension in the certificate.
|
BusinessCat |
The business category. This is a text field
of up to 64 characters.Note: This field is intended for
use in certificates that follow the criteria for Extended Validation
(EV) certificates. For more information about the criteria, see the
Guidelines for Extended Validation Certificates produced by the CA/Browser
Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
ChallengePassPhrase 1 |
The passphrase the user entered when requesting
a certificate. The user types the same passphrase, exactly as entered
on the request form. This is a case-sensitive text field of up to
32 characters. |
ClientName 1 |
Name of the person or device being preregistered.
This is a text field of up to 64 characters. Restriction: The
first 32 characters of the name must be unique, irrespective of case,
for each preregistered user.
|
CommonName |
For browser certificates, this is your name,
such as John Smith. (You can use your first and last name, in that
order.) For server certificates, this is name by which the server's
administrator wants it to be known. For SSL servers, the SSL protocol
requires the CommonName to be the fully qualified domain name of the
server, for example, www.ibm.com. CommonName is a
text field of up to 64 characters. Although CommonName is a constant,
no value is assigned to it. This indicates that RACF® must determine the value. The user authenticates
by specifying a user ID and password. (If UserId is
listed in the APPL section, this means the application provides the
user ID and password.) Providing the user ID and password enables RACF to look up the CommonName
value in the user's profile.
Note: The value is one of the relative
distinguished names that is saved in the subject's distinguished name
in the certificate.
|
Country |
The country where your organization is located.
This is a 2-character text field. Note: The value is one of the relative
distinguished names that is saved in the subject's distinguished name
in the certificate.
|
CustomExt |
A custom certificate extension. Use this field
to support extensions that PKI Services does not otherwise support.
This is a repeatable field. For more information, see Adding custom extensions to certificates. |
DNQualifier1 |
The subject's distinguished name qualifier.
This is a text field of up to 64 characters. |
DomainName1 |
The subject's domain name. It contains all the
domain name components in the form <domain component1>.<domain
component2>. ... .<domain componentn>. This
is a text field of up to 64 characters. |
Email 1 |
This is a deprecated insert for the e-mail address
for the distinguished name; use the Mail insert instead. This is a
text field of up to 64 characters. Note: The value is one of the relative
distinguished names that is saved in the subject's distinguished name
in the certificate.
|
EmailAddr 1 |
The e-mail address for the distinguished name.
This is a text field of up to 64 characters. Note: The value is one
of the relative distinguished names that is saved in the subject's
distinguished name in the certificate.
|
ExtKeyUsage 1 |
The intended purpose of the certificate. Possible
values are:- clientauth
- Client side authentication
- codesigning
- Code signing
- emailprotection
- E-mail protection
- mssmartcardlogon
- Microsoft Smartcard
logon
- ocspsigning
- OCSP response signing
- serverauth
- Server side authentication
- timestamping
- Digital timestamping.
|
HostIdMap 1 |
This is the user ID for authorization purposes,
in an e-mail type of format: subject-id@host-name
For
example, this could be dsmith@ibm.com. This is a
text field of up to 100 characters.There are three ways to use %%HostIdMap%%: - If you place it in the CONTENT section, the end user can specify
the value (or values, because it can be repeated).
- You can also place it in the APPL section that the application
provides. If you do so, it should have the following form:
%%HostIdMap=@host-name%%
The host-name is
the hardcoded system name for the current system. The application
provides the user ID as the user entered it when prompted for user
ID and password. Note that, for this to function properly, the IBM HTTP Server protection
scheme for the request must force a prompt for user ID and password.
Thus, only one HostIdMap is provided using this method.
- A third way to specify HostIdMap is to place %%HostIdMap%% in
the ADMINAPPROVE section. This allows the administrator to fill in
the value when approving the certificate request. See Administering HostIdMappings extensions for more information.
|
InstallCert |
(This field is for the Internet Explorer browser
only.) This field contains script for producing a window that installs
an automatically-renewed certificate copied from an email notification. |
JurCountry |
The jurisdiction of incorporation country name.
This is a two-character text field.Note: This field is
intended for use in certificates that follow the criteria for Extended
Validation (EV) certificates. For more information about the criteria,
see the Guidelines for Extended Validation Certificates produced by
the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
JurLocality |
The jurisdiction of incorporation locality name.
This is a text field of up to 64 characters.Note: This
field is intended for use in certificates that follow the criteria
for Extended Validation (EV) certificates. For more information about
the criteria, see the Guidelines for Extended Validation Certificates
produced by the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
JurStateProv |
The jurisdiction of incorporation state or province
name. This is a text field of up to 64 characters.Note: This
field is intended for use in certificates that follow the criteria
for Extended Validation (EV) certificates. For more information about
the criteria, see the Guidelines for Extended Validation Certificates
produced by the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
KeyProt 1 |
(This field is for the
Internet Explorer browser only.) This field asks
if the user wants to enable strong private key protection. The drop-down
choices are Yes and No. |
KeySize |
The size of the keys (public key and private
key) in bits, if they are to be generated by PKI Services. Valid
values for each key type are:- RSA
- 512, 1024, 2048, 4096
- NISTECC
- 192, 224, 256, 384, 521
- BPECC
- 160, 192, 224, 256, 320, 384, 512
|
KeyUsage |
The intended purpose of the certificate. Each
possible value is shown in Table 2 with
its intended purpose and possible PKIX bits. |
Label 2 |
The label assigned to the requested certificate.
This is a text field of up to 32 characters. |
Locality |
The city or municipality where your organization
is located, such as Pittsburgh or Paris. This is a text field of up
to 64 characters. Note: The value is one of the relative distinguished
names that is saved in the subject's distinguished name in the certificate.
|
Mail 1 |
The email address for the distinguished name.
This is a text field of up to 64 characters. Note: The value is one
of the relative distinguished names that is saved in the subject's
distinguished name in the certificate.
|
NotBefore |
Number of days (0 - 30) before the certificate
becomes valid. |
NotAfter |
Number of days (1 - 9999) that the certificate
is current. For example, 365 for a one-year certificate. |
NotifyEmail 1 |
The e-mail address for notification purposes.
If automatic certificate renewal is in effect, this is the e-mail
address to which PKI Services sends
the certificate when it is automatically renewed. This is a text field
of up to 64 characters.Note: - When a certificate is created and posted to LDAP, the NotifyEmail
value, if specified, is posted as the MAIL attribute. If the MAIL
attribute already exists in that directory entry, its value is replaced
by the new value. If both NotifyEmail and Email appear on one request,
they must have the same value.
- If a certificate for which PKI Services generated
the keys is renewed, the NotifyEmail field is ignored, and the renewed
certificate is sent to the requestor's email address.
|
Org |
Organization. The legally registered name (or
trademark name, for example, IBM®)
of your organization. This is a text field of up to 64 characters. Note: The
value is one of the relative distinguished names that is saved in
the subject's distinguished name in the certificate.
|
OrgUnit |
The name of your division or department. This
is a text field of up to 64 characters. Note: The value is one of
the relative distinguished names that is saved in the subject's distinguished
name in the certificate.
|
OrgUnit2 |
The name of your division or department. (There
can be more than one organizational unit field on a request form.
For example, one could be for your department and another for your
division.) This is a text field of up to 64 characters. Note: The
value is one of the relative distinguished names that is saved in
the subject's distinguished name in the certificate.
|
PassPhrase 1 |
The user decides this and enters and then reenters
it when requesting a certificate (and must later supply this value
when retrieving the certificate). This is a case-sensitive text field
of up to 32 characters. There is no minimum number of characters,
and the user can use any characters, but alphanumeric characters (A - Z, a - z,
and 0 - 9) are suggested. |
PostalCode 1 |
The zip code or postal code. This is a text
field of up to 64 characters. Note: The value is one of the relative
distinguished names that is saved in the subject's distinguished name
in the certificate.
|
PublicKey |
The base64-encoded #10 certificate request. (This is for server or
device enrollment only.) You create a certificate request on behalf
of another server (which could be a z/OS server or
other type of server) or device for which you are requesting a certificate.
You use software specific to that server to generate the #10 request
before going to the PKI Services Web site.
Save the request in a file. Then open the file in a text editor such
as Windows Notepad and copy
the and paste the contents into the text box on the enrollment form.
A text area of 70 columns and 12 rows is allocated for this certificate
request. Here is an example of the certificate request: -----BEGIN NEW CERTIFICATE REQUEST-----
MIIBiDCB8gIBADAZMRcwFQYDVQQDEw5Kb2huIFEuIFB1YmxpYzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAsCT1cJHAGPqi6OjAyL+xNbt8z5ngmvqO2V0O3oYu
/mEnQtRM96e+2jbmDCRo5tWVklG4OYf9ZVB5biURMJFLztfa4AVdEVtun8DH2pwc
wiNIZZcC1Zym5adurUmyDk64PgiiIPMQS/t0ttG4c5U8uWSK0b1J4V4f7ps+t1aG
t+cCAwEAAaAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0OBBYEFAlKTovBBvnFqDAO
1oIhtRinwRC9MA0GCSqGSIb3DQEBBQUAA4GBAIbCVpwYvppIX3HHmpKZPNY8Snsz
AJrDsgAEH51WOIRGywhqKcLLxa9htoQai6cdc8RpFVTwk6UfdCOGxMn4aFb34Tk3
5WYdzOiHXg8MhHiB3EruwdWs+S7Fv3JhU3FLwU6lFLfAjbVi+35iEWQymOR6mE5W
CathprmGfKRsDE5E
-----END NEW CERTIFICATE REQUEST-----
|
PublicKeyIE 1 |
(This field is for the
Internet Explorer browser only.) This is the cryptographic service
provider. The user selects a value from a drop-down list (Microsoft Base Cryptographic Provider or Microsoft Enhanced Cryptographic
Provider). |
PublicKeyNS 1 |
(This field is for Mozilla-based
browsers only.) This is the key size for your public/private key pair.
The user selects a value from the drop-down list. Larger keys are
more secure, but they also increase the time needed for connecting
to a secure session. |
PublicKey2IE |
(This field is for the Internet Explorer browser
only.) This field is the smart card cryptographic service provider.
The user selects a smart card provider from a list. |
PublicKey2NS |
(This field is for Mozilla-based browsers only.)
This field is the keygen HTML tag. It displays a menu of key sizes
from which the user must choose one. When the user clicks submit,
a key pair of the selected size is generated. |
RecoverEmail, RecoverEmail2 |
This field is used to recover a certificate
whose keys were generated by PKI Services. It contains
the email address of the requestor. |
Requestor 1 |
The user's name, used for tracking the request.
This can be in any format, for example, John Smith or John. J. Smith.
(This can differ from the common name, especially if the request is
for a server certificate.) The value is saved with the request and
issued certificate, but it is not a field in the created certificate.
The default value is taken from the leftmost RDN in the subject's distinguished
name, truncated to 32 characters. |
Requestor2 |
The email address of the requestor. This field
is used to request a certificate with a key pair generated by PKI Services, and to retrieve
such a certificate. |
Security1, Security 2, … Securityn |
Security questions used to assist recovering
a certificate whose keys were generated by PKI Services. These fields
can be used by the GENCERT, REQCERT and QRECOVER exits. You can have
as many of these fields as you want, but the number you have must
match the number that your exits handle. The fields should be numbered
in order, beginning with Security1. |
SerialNumber 1 |
Serial number of the subject device. This is
a text field of up to 64 characters. |
SignWith |
For PKI the component and for SAF the component
and key-label used to sign this certificate, indicating the provider
for certificate generation. This is a text field of up to 45 characters.
It can be SAF or PKI Services, as shown in the following examples.Examples: "SAF:CERTAUTH/Local CA Cert"
"PKI:"
For SAF, the label of the signing certificate
must be included. The first example shows the SignWith field in a
SAF template. It includes the signing certificate, a CERTAUTH certificate
labeled 'Local CA Cert'.
For PKI, it is an
error to include the signing certificate. The second example shows
the SignWith field in a PKI template. Notice that this contains no
signing certificate.
|
StateProv |
The state or province where your organization
is located. Your registration policies determine whether you spell
out the full name of the state or province or use an abbreviation.
This is a text field of up to 64 characters. Note: The value is one
of the relative distinguished names that is saved in the subject's
distinguished name in the certificate.
|
Street 1 |
The street address. This is a text field of
up to 64 characters. Note: The value is one of the relative distinguished
names that is saved in the subject's distinguished name in the certificate.
|
Title |
Job title. This is a text field of up to 64
characters. Note: The value is one of the relative distinguished names
that is saved in the subject's distinguished name in the certificate.
|
TransactionId |
PKISERV Web pages assign this after the user
requests a certificate. When it is displayed, the user needs to record
this number. This is a text field of up to 56 characters. |
Uid 1 |
The subject's login ID. This is a text field
of up to 64 characters. |
UnstructAddr 1 |
Unstructured address of the subject device.
This is a text field of up to 64 characters. |
UnstructName 1 |
Unstructured device name. This is a text field
of up to 64 characters. |
UserId |
The owning SAF user ID. This is a text field
of up to 8 characters. |