Summary of fields
When you request certificates, you provide information for the
fields in certificate request forms. The following table describes
the fields in the end-user web pages:
Field | Description |
---|---|
Certificate fields | |
Certificate fields related to Subject's Distinguished Name Notes:
|
|
Business Category | The business category. This field is a text field
of up to 64 characters. This field is intended for use in Extended Validation (EV) certificates. |
Common name | Your name, such as John Smith. (You can use
your first and last name, in that order.) This is a text field of
up to 64 characters. For SSL servers, the common name is the server's fully qualified domain name, for example, www.ibm.com. |
Country | The country where your organization is located. This is a 2-character text field. |
Distinguished name qualifier | Specifies information to add to the subject distinguished name of an entry to make it unambiguous. |
Domain component | One component of a domain name associated with the subject distinguished name. For example, the domain name www.ibm.com is represented by 3 components: www, ibm, and com. |
Email address | Email address with attribute EMAIL for the distinguished name. This is a text field of up to 64 characters. |
Jurisdiction Country | The jurisdiction of incorporation country name.
This field is a two-character text field. This field is intended for use in Extended Validation (EV) certificates. |
Jurisdiction Location | The jurisdiction of incorporation locality name.
This field is a text field of up to 64 characters. This field is intended for use in Extended Validation (EV) certificates. |
Jurisdiction State or Province | The jurisdiction of incorporation state or province
name. This field is a text field of up to 64 characters. This field is intended for use in Extended Validation (EV) certificates. |
Locality | The city or municipality where your organization is located, such as Pittsburgh or Paris. This is a text field of up to 64 characters. |
Email address with attribute MAIL for the distinguished
name. This is a text field of up to 64 characters. Restriction: If you specify a value for this parameter and for Notification e-mail address, the two values must be the same. |
|
Organization | The legally registered name (or trademark name, for example, IBM®) of your organization. This is a text field of up to 64 characters. |
Organizational unit | The name of your division or department. (There can be more than one organizational unit field on a request form. For example, one could be for your department and another for your division.) This is a text field of up to 64 characters. |
Postal code | Your postal code or zip code. This is a text field of up to 64 characters. |
Serial number | Serial number of the subject device. This is a text field of up to 64 characters. |
State or Province | The state or province where your organization is located. Your registration policies determine whether you spell out the full name of the state or province or use an abbreviation. This is a text field of up to 64 characters. |
Street | Your street address. This is a text field of up to 64 characters. |
Title | Your job title. This is a text field of up to 64 characters. |
Unstructured address | The unstructured address of the subject device. |
Unstructured name | The unstructured name of the subject device. |
User ID | The system login name associated with the subject distinguished name. |
Certificate fields related to validity period | |
Not after (date) | A number of days, added to the current date after which the certificate expires. By default, you can select either one year or two years for the time at which the certificate expires. |
Not before (date) | A number of days, added to the current date (by default, you can select either 0 or 30), before which the certificate is not valid. |
Certificate fields related to extensions | |
Alternate domain name | Domain name for alternate name. This is the
host name of the machine where a certificate is installed. This is
a text field of up to 100 characters. Note: The value is one of the list
of subject's alternate names that is saved in the subject alternate
name extension in the certificate.
|
Alternate email address | Email address for alternate name, including
the @ character and any periods (.). This is a text field
of up to 100 characters. Note: The value is one of the list of subject's alternate
names that is saved in the subject alternate name extension in the
certificate.
|
Alternate IP address | The IP address for the alternate name. This
unique IP address specifies the location of each device or workstation
on the Internet. PKI Services supports
both IP version 4 and IP version 6 addresses. The IP address is a text field
of up to 45 characters:
Note: The value is one of the list of subject's alternate names
that is saved in the subject alternate name extension in the certificate.
|
Alternate other name | Additional identifier for the alternate name. See your PKI Services administrator for information about this field. |
Alternate uniform resource identifier (URI) | Uniform resource identifier for the alternate
name. This is a name or address referring to an Internet resource;
a URL is one kind of uniform resource identifier. This is a text field
of up to 100 characters. Note: The value is one of the list of subject's alternate
names that is saved in the subject alternate name extension in the
certificate.
|
Extended key usage | This indicates the intended purpose of the certificate.
Possible values are:
|
HostIdMapping | This is the user ID for authorization purposes
in the format: subject-id@host-name Example: DSmith@ibm.com |
Key usage | The intended purpose of the certificate. Each possible value is shown in Table 2 with its intended purpose and possible PKIX bits. |
Base64-encoded PKCS #10 certificate request | |
Base64-encoded PKCS #10 certificate request | (This is for server or device enrollment only.)
You create a certificate request on behalf of another server (which could
be a z/OS® server
or other type of server) or device for which you are requesting a
certificate. You use software specific to that server to generate
the PKCS #10 request before going to the PKI Services website.
Save the request in a file. Then open the file in a text editor such
as Windows Notepad and copy
and paste the contents into the text box on the enrollment form. A
text area of 70 columns and 12 rows is allocated for this certificate
request. Here is an example of the certificate request:
For a sample of the enrollment form showing the text box for a PKCS #10 request, see Figure 2. |
PKI Services internal use fields | |
Challenge passphrase | This is the passphrase you entered when requesting a certificate. You type the same passphrase, exactly as you typed it on the request form. This is a case-sensitive text field of up to 32 characters. |
KeySize | The size of the key pair (public key and private key) that you want PKI Services to generate for you. |
Label | The label assigned to the requested certificate. This is a text field of up to 32 characters. This field applies only to SAF certificates. |
Notification email address | Email address for notification purposes. This
is a text field of up to 64 characters. Note: If you specify a value
for this parameter and for Mail, the two values must be
the same.
|
Passphrase | You decide this value when requesting a certificate (and must later supply this value when retrieving the certificate). You enter and then reenter this when requesting a certificate. This is a case-sensitive text field of up to 32 characters. (There is no minimum number of characters, and you can use any characters, but alphanumeric characters (A–Z, a–z, and 0–9) are suggested. |
Requestor's name | Your name (for tracking purposes). This can
be in any format, for example, John Smith or John. J. Smith. This
is a text field of up to 32 characters. Note: For a PKI generated key
certificate, the requestor name needs to be in the form of an email
address.
|
Transaction ID | This is assigned after you request your certificate. When it is displayed, you need to record this number. This is a text field of up to 56 characters. |
Browser-specific fields | |
Cryptographic service provider | (This is for the Internet Explorer browser only.) The cryptographic service provider to generate your public/private key pair. You select a value from the drop-down list. Larger keys are more secure, but they also increase the time that is needed for connecting to a secure session. |
Key protection | (This is for the Internet Explorer browser only.) This asks if you want to enable private key protection. (The drop-down choices are Yes and No.) |
Key size | (This is for Mozilla-based browsers only.) This is the key size for your public/private key pair. Select a value from the drop-down list. Larger keys are more secure, but they also increase the time needed for connecting to a secure session. |
KeyUsage value | Intended purpose | PKIX bits |
---|---|---|
certsign | Certificate and CRL signing | KeyCertSign and cRLSign |
crlsign | CRL signing | cRLSign |
dataencrypt, dataencipherment, or dataenciph | Data encryption | dataEncipherment |
digitalsig or digitalsignature | Authentication | digitalSignature |
docsign or nonrepudiation | Document signing | nonRepudiation |
handshake | Protocol handshaking (for example, SSL) | digitalSignature and keyEncipherment |
keyagree or keyagreement | Key agreement | keyAgreement |
keycertsign | Certificate signing | keyCertSign |
keyencrypt, keyencipherment, or keyenciph | Key transport | keyEncipherment |