The tables in this topic summarize the fields contained in each
certificate template that PKI Services provides.
Certificate templates |
Fields |
---|
Fields in the PKI browser certificate templates |
Table 1 |
Fields in the PKI server certificate templates |
Table 2 |
Fields in the SAF (browser and server), SCEP, and PKI generated
key certificate templates |
Table 3 |
Table 1,
Table 2,
and
Table 3 identify each template field
as one of the following:
- Required
- Optional
- Provided by the application
- Constant (supplied value is shown)
- Blank (field is not present in either the CONTENT or CONSTANT
section)
Table 1. Summary of fields
for PKI browser certificate templates Field name |
One-year PKI SSL browser |
One-year PKI S/MIME browser |
Two-year PKI browser for z/OS® |
Two-year PKI Windows logon
certificate |
n-year PKI browser extensions demon-
stration |
---|
AltDomain |
|
|
|
|
Optional |
AltEmail |
|
Required |
|
Optional |
|
AltIPAddr |
|
|
|
|
Optional |
AltOther_OID |
|
|
|
Constant1 |
Optional |
AltURI |
|
|
|
|
Optional |
AuthInfoAcc |
|
|
|
|
Constant2 |
BusinessCat |
|
|
|
|
|
CertPolicies |
|
|
|
|
Constant: 1 |
ClientName |
|
|
|
|
|
CommonName |
Required |
|
Constant3 |
Optional |
|
Country |
|
|
|
|
Optional |
Critical |
|
|
|
|
|
CustomExt |
|
|
|
|
Optional |
DomainName |
|
|
|
|
Optional |
DNQualifier |
|
|
|
|
Optional |
EmailAddr |
|
|
|
|
Optional |
ExtKeyUsage |
Constant: clientauth |
|
Constant: clientauth |
Constants: clientauth and mssmartlogon |
Optional |
HostIdMap4 |
|
|
Application provides |
|
Optional |
JurCountry |
|
|
|
|
|
JurLocality |
|
|
|
|
|
JurStateProv |
|
|
|
|
|
KeySize |
|
|
|
|
|
KeyUsage |
Constant: handshake |
|
|
Constant: digitalSig |
Required |
Label |
|
|
|
|
Optional |
Locality |
|
|
|
|
Optional |
Mail (previously called Email) |
|
|
|
|
Optional |
NotAfter |
Constant: 365 |
|
Constant: 730 |
|
Optional |
NotBefore |
Constant: 0 |
|
|
|
Optional |
NotifyEmail |
Optional |
|
|
|
|
Org |
Constant: The Firm |
|
|
|
Optional |
OrgUnit |
Constant: Class 1 Internet Certificate
CA |
|
|
|
Required |
OrgUnit2 |
|
|
|
|
Optional |
PassPhrase |
Required |
|
|
|
|
PostalCode |
|
|
|
|
Optional |
PublicKey |
Browser provided5 |
|
|
|
|
PublicKey2 |
|
|
|
Browser provided5 |
|
Requestor |
Optional |
|
|
|
|
SerialNumber |
|
|
|
|
Optional |
SignWith |
Constant: PKI: |
|
|
|
|
StateProv |
|
|
|
|
Optional |
Street |
|
|
|
|
Optional |
Title |
|
|
|
|
Optional |
Uid |
|
|
|
|
Optional |
UnstructAddr |
|
|
|
|
Optional |
UnstructName |
|
|
|
|
Optional |
UserId |
|
|
Application provides |
|
|
Note: - The constant value is _1_3_6_1_4_1_311_20_2_3.
- The constant value is OCSP,URL=https://IV.OCSP.BankXYZ.com.
- Although CommonName is a constant, no value is assigned
to it. This indicates that RACF® must
determine the value. The user authenticates by specifying a user ID
and password. (If UserId is listed in the APPL section,
this means the application provides the user ID and password.) Providing
the user ID and password enables RACF to
look up the CommonName value in the user's profile.
- The HostIdMap value is formed by
concatenating UserId with @host-name.
- The PublicKey and PublicKey2 fields are coded with
the browsertype substitution variable.
Table 2. Summary
of fields for PKI server certificate templatesField name |
Two-year EV SSL server |
Two-year PKI Authenticode code signing server |
Five-year PKI SSL server |
Five-year PKI IPSEC server (firewall) |
Five-year PKI intermediate CA server |
---|
AltDomain |
Optional |
|
Optional |
|
|
AltEmail |
Optional |
Required |
Optional |
|
|
AltIPAddr |
Optional |
|
Optional |
|
|
AltOther_OID |
|
|
|
|
|
AltURI |
Optional |
|
Optional |
|
|
AuthInfoAcc |
|
Constant1 |
|
|
|
BusinessCat |
Optional |
|
|
|
|
CertPolicies |
|
Constant: 1 |
|
|
|
ClientName |
|
|
|
|
|
CommonName |
Required |
Constant: My Company Code Signing Certificate |
Optional |
|
|
Country |
Required |
|
Optional |
|
|
Critical |
|
Constant: ExtKeyUsage |
|
|
|
CustomExt |
|
|
|
|
|
DNQualifier |
|
|
|
|
|
DomainName |
|
|
|
|
|
EmailAddr |
|
|
|
|
|
ExtKeyUsage |
|
Constant: codesigning |
Constant: serverauth |
|
|
HostIdMap2 |
|
|
|
|
|
JurCountry |
Required |
|
|
|
|
JurLocality |
Optional |
|
|
|
|
JurStateProv |
Optional |
|
|
|
|
KeySize |
|
|
|
|
|
KeyUsage |
|
Constants: digitalsig and docsign |
Constant: handshake |
Constants: handshake and dataencrypt |
Constant: certsign |
Label |
|
|
|
|
|
Locality |
Required |
|
Optional |
|
|
Mail (previously called Email) |
Optional |
|
|
|
|
NotAfter |
|
Constant: 730 |
Constant: 1825 |
|
|
NotBefore |
|
Constant: 0 |
|
|
|
NotifyEmail |
Optional |
Required |
|
Optional |
|
Org |
Required |
Constant: The Firm |
Optional |
|
|
OrgUnit |
Required |
Optional |
|
|
|
OrgUnit2 |
|
|
Optional |
|
|
PassPhrase |
Required |
|
|
|
|
PostalCode |
Optional |
|
Optional |
|
|
PublicKey |
Required |
|
|
|
|
PublicKey2 |
|
|
|
|
|
Requestor |
Optional |
|
|
|
|
SerialNumber |
Required |
|
|
|
|
SignWith |
|
Constant: PKI: |
|
|
|
StateProv |
Required |
|
Optional |
|
|
Street |
Optional |
|
Optional |
|
|
Title |
|
|
|
|
|
Uid |
|
|
|
|
|
UnstructAddr |
|
|
|
|
|
UnstructName |
|
|
|
|
|
UserId |
|
|
|
|
Application provides |
Note: - The constant value is OCSP,URL=https://ocsp.vendor.com.
- The HostIdMap value is formed by
concatenating UserId with @host-name.
Table 3. Summary
of fields for SAF, SCEP, and PKI generated key certificate templatesField name |
One-year SAF server |
One-year SAF browser |
Five-year SCEP preregistration |
One-year PKI generated key |
---|
AltDomain |
Optional |
|
|
|
AltEmail |
Optional |
|
|
|
AltIPAddr |
Optional |
|
|
|
AltOther_OID |
|
|
|
|
AltURI |
Optional |
|
Optional |
|
AuthInfoAcc |
|
|
|
|
BusinessCat |
|
|
|
|
CertPolicies |
|
|
|
|
ClientName |
|
|
Required |
|
CommonName |
Optional |
Constant1 |
Optional |
Required |
Country |
Required |
Constant: US |
Optional |
|
Critical |
|
|
|
|
CustomExt |
|
|
|
|
EmailAddr |
|
|
Optional |
|
ExtKeyUsage |
|
|
Optional |
|
HostIdMap2 |
|
|
Optional |
|
JurCountry |
|
|
|
|
JurLocality |
|
|
|
|
JurStateProv |
|
|
|
|
KeySize |
|
|
|
Required |
KeyUsage |
|
|
Optional |
Constant: handshake |
Label |
Required |
|
Optional |
|
Locality |
Optional |
|
Optional |
|
Mail (previously called Email) |
|
|
Optional |
|
NotAfter |
Constant: 365 |
|
Constant: 1825 |
Constant: 365 |
NotBefore |
Constant: 0 |
|
|
|
NotifyEmail |
|
|
Optional |
|
Org |
Required |
Constant: The Firm |
Optional |
Constant: The Firm |
OrgUnit |
Required |
Constants: OrgUnit=SAF template certificate and OrgUnit=Nuts
and Bolts Division |
Optional |
Constant: Class 1 Internet Certificate
CA |
OrgUnit2 |
Optional |
|
Optional |
|
PassPhrase |
|
|
Required |
Required |
PostalCode |
|
|
Optional |
|
PublicKey |
Required3 |
Browser provided4 |
Optional |
|
PublicKey2 |
|
|
|
|
Requestor |
|
|
Optional |
Required |
SerialNumber |
|
|
Optional |
|
SignWith |
Constant: SAF:CERAUTH/taca |
|
Constant: PKI: |
Constant: PKI: |
StateProv |
Optional |
|
Optional |
|
Street |
|
|
Optional |
|
Title |
|
|
Optional |
|
UnstructAddr |
|
|
Optional |
|
UnstructName |
|
|
Optional |
|
UserId |
Application provides |
|
|
|
Note: - Although CommonName is a constant, no value is assigned
to it. This indicates that RACF must
determine the value. The user authenticates by specifying a user ID
and password. (If UserId is listed in the APPL section,
this means the application provides the user ID and password.) Providing
the user ID and password enables RACF to
look up the CommonName value in the user's profile.
- The HostIdMap value is formed by
concatenating UserId with @host-name.
- The PublicKey is the PKCS #10 request.
- The PublicKey field is coded with the browsertype substitution
variable.