Summary of fields

When you request certificates, you provide information for the fields in certificate request forms. The following table describes the fields in the end-user web pages:

Table 1. Summary of fields in end-user web pages
Field	Description
Certificate fields
	Certificate fields related to Subject's Distinguished Name Notes: The values for these fields are the relative distinguished names (RDNs) that are saved in the subject's distinguished name (DN) in the certificate. For a server certificate, a base64-encoded PKCS #10 certificate request is required. If you specify one or more of these fields, the subject's distinguished name supplied in the PKCS #10 certificate request is ignored and only the fields you specify are in effect. For example, suppose that the subject's distinguished name specified in the PKCS #10 certificate request contains three RDNs - common name, organizational unit, and country. If you specify a value for organizational unit, you must also specify values for common name and country, even though you are not changing them. If you do not, these two RDNs have no values.
Business Category	The business category. This field is a text field of up to 64 characters. This field is intended for use in Extended Validation (EV) certificates.
Common name	Your name, such as John Smith. (You can use your first and last name, in that order.) This is a text field of up to 64 characters. For SSL servers, the common name is the server's fully qualified domain name, for example, `www.ibm.com`.
Country	The country where your organization is located. This is a 2-character text field.
Distinguished name qualifier	Specifies information to add to the subject distinguished name of an entry to make it unambiguous.
Domain component	One component of a domain name associated with the subject distinguished name. For example, the domain name www.ibm.com is represented by 3 components: www, ibm, and com.
Email address	Email address with attribute EMAIL for the distinguished name. This is a text field of up to 64 characters.
Jurisdiction Country	The jurisdiction of incorporation country name. This field is a two-character text field. This field is intended for use in Extended Validation (EV) certificates.
Jurisdiction Location	The jurisdiction of incorporation locality name. This field is a text field of up to 64 characters. This field is intended for use in Extended Validation (EV) certificates.
Jurisdiction State or Province	The jurisdiction of incorporation state or province name. This field is a text field of up to 64 characters. This field is intended for use in Extended Validation (EV) certificates.
Locality	The city or municipality where your organization is located, such as Pittsburgh or Paris. This is a text field of up to 64 characters.
Mail	Email address with attribute MAIL for the distinguished name. This is a text field of up to 64 characters. Restriction: If you specify a value for this parameter and for `Notification e-mail address`, the two values must be the same.
Organization	The legally registered name (or trademark name, for example, IBM®) of your organization. This is a text field of up to 64 characters.
Organizational unit	The name of your division or department. (There can be more than one organizational unit field on a request form. For example, one could be for your department and another for your division.) This is a text field of up to 64 characters.
Postal code	Your postal code or zip code. This is a text field of up to 64 characters.
Serial number	Serial number of the subject device. This is a text field of up to 64 characters.
State or Province	The state or province where your organization is located. Your registration policies determine whether you spell out the full name of the state or province or use an abbreviation. This is a text field of up to 64 characters.
Street	Your street address. This is a text field of up to 64 characters.
Title	Your job title. This is a text field of up to 64 characters.
Unstructured address	The unstructured address of the subject device.
Unstructured name	The unstructured name of the subject device.
User ID	The system login name associated with the subject distinguished name.
Certificate fields related to validity period
Not after (date)	A number of days, added to the current date after which the certificate expires. By default, you can select either one year or two years for the time at which the certificate expires.
Not before (date)	A number of days, added to the current date (by default, you can select either `0` or `30`), before which the certificate is not valid.
Certificate fields related to extensions
Alternate domain name	Domain name for alternate name. This is the host name of the machine where a certificate is installed. This is a text field of up to 100 characters. Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
Alternate email address	Email address for alternate name, including the `@` character and any periods (.). This is a text field of up to 100 characters. Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
Alternate IP address	The IP address for the alternate name. This unique IP address specifies the location of each device or workstation on the Internet. PKI Services supports both IP version 4 and IP version 6 addresses. The IP address is a text field of up to 45 characters: For IP version 4, the IP address is in dotted decimal format; for example, `9.67.97.103`. For IP version 6, the IP address is divided into eight 16-bit hexadecimal blocks separated by colons. Leading zeros in each 16-bit field are optional, and successive fields of zeros can be represented by double colons, but only once; for example `1:2::3:4` is equivalent to `0001:0002:0000:0000:0000:0000:0003:0004`. In a mixed IP version 4 and IP version 6 environment, the IP address can be expressed in the format `x:x:x:x:x:x:d.d.d.d,` where the `x` values are the hexadecimal values of the six high-order 16-bit pieces of the address, and the `d` values are the decimal values of the four low-order 8-bit pieces of the address in standard IP version 4 representation; for example, `0:0:0:0:0:ABCD:1.2.3.4`, or the equivalent value `::ABCD:1.2.3.4` Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
Alternate other name	Additional identifier for the alternate name. See your PKI Services administrator for information about this field.
Alternate uniform resource identifier (URI)	Uniform resource identifier for the alternate name. This is a name or address referring to an Internet resource; a URL is one kind of uniform resource identifier. This is a text field of up to 100 characters. Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
Extended key usage	This indicates the intended purpose of the certificate. Possible values are: clientauth Client side authentication codesigning Code signing emailprotection Email protection mssmartcardlogon Smart card logon for Microsoft Windows users ocspsigning OCSP response signing serverauth Server side authentication timestamping Digital timestamping
`HostIdMapping`	This is the user ID for authorization purposes in the format: `subject-id@host-name` Example: `DSmith@ibm.com` This is a text field of up to 100 characters.
Key usage	The intended purpose of the certificate. Each possible value is shown in Table 2 with its intended purpose and possible PKIX bits.
Base64-encoded PKCS #10 certificate request
Base64-encoded PKCS #10 certificate request	(This is for server or device enrollment only.) You create a certificate request on behalf of another server (which could be a z/OS® server or other type of server) or device for which you are requesting a certificate. You use software specific to that server to generate the PKCS #10 request before going to the PKI Services website. Save the request in a file. Then open the file in a text editor such as Windows Notepad and copy and paste the contents into the text box on the enrollment form. A text area of 70 columns and 12 rows is allocated for this certificate request. Here is an example of the certificate request: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBiDCB8gIBADAZMRcwFQYDVQQDEw5Kb2huIFEuIFB1YmxpYzCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAsCT1cJHAGPqi6OjAyL+xNbt8z5ngmvqO2V0O3oYu /mEnQtRM96e+2jbmDCRo5tWVklG4OYf9ZVB5biURMJFLztfa4AVdEVtun8DH2pwc wiNIZZcC1Zym5adurUmyDk64PgiiIPMQS/t0ttG4c5U8uWSK0b1J4V4f7ps+t1aG t+cCAwEAAaAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0OBBYEFAlKTovBBvnFqDAO 1oIhtRinwRC9MA0GCSqGSIb3DQEBBQUAA4GBAIbCVpwYvppIX3HHmpKZPNY8Snsz AJrDsgAEH51WOIRGywhqKcLLxa9htoQai6cdc8RpFVTwk6UfdCOGxMn4aFb34Tk3 5WYdzOiHXg8MhHiB3EruwdWs+S7Fv3JhU3FLwU6lFLfAjbVi+35iEWQymOR6mE5W CathprmGfKRsDE5E -----END NEW CERTIFICATE REQUEST----- For a sample of the enrollment form showing the text box for a PKCS #10 request, see Figure 2.
PKI Services internal use fields
Challenge passphrase	This is the passphrase you entered when requesting a certificate. You type the same passphrase, exactly as you typed it on the request form. This is a case-sensitive text field of up to 32 characters.
KeySize	The size of the key pair (public key and private key) that you want PKI Services to generate for you.
Label	The label assigned to the requested certificate. This is a text field of up to 32 characters. This field applies only to SAF certificates.
Notification email address	Email address for notification purposes. This is a text field of up to 64 characters. Note: If you specify a value for this parameter and for `Mail`, the two values must be the same.
Passphrase	You decide this value when requesting a certificate (and must later supply this value when retrieving the certificate). You enter and then reenter this when requesting a certificate. This is a case-sensitive text field of up to 32 characters. (There is no minimum number of characters, and you can use any characters, but alphanumeric characters (`A–Z`, `a–z`, and `0–9`) are suggested.
Requestor's name	Your name (for tracking purposes). This can be in any format, for example, John Smith or John. J. Smith. This is a text field of up to 32 characters. Note: For a PKI generated key certificate, the requestor name needs to be in the form of an email address.
Transaction ID	This is assigned after you request your certificate. When it is displayed, you need to record this number. This is a text field of up to 56 characters.
Browser-specific fields
Cryptographic service provider	(This is for the Internet Explorer browser only.) The cryptographic service provider to generate your public/private key pair. You select a value from the drop-down list. Larger keys are more secure, but they also increase the time that is needed for connecting to a secure session.
Key protection	(This is for the Internet Explorer browser only.) This asks if you want to enable private key protection. (The drop-down choices are Yes and No.)
Key size	(This is for Mozilla-based browsers only.) This is the key size for your public/private key pair. Select a value from the drop-down list. Larger keys are more secure, but they also increase the time needed for connecting to a secure session.

Table 2. KeyUsage values and their intended purpose and possible PKIX bits
KeyUsage value	Intended purpose	PKIX bits
certsign	Certificate and CRL signing	`KeyCertSign` and `cRLSign`
crlsign	CRL signing	`cRLSign`
dataencrypt, dataencipherment, or dataenciph	Data encryption	`dataEncipherment`
digitalsig or digitalsignature	Authentication	`digitalSignature`
docsign or nonrepudiation	Document signing	`nonRepudiation`
handshake	Protocol handshaking (for example, SSL)	`digitalSignature` and `keyEncipherment`
keyagree or keyagreement	Key agreement	`keyAgreement`
keycertsign	Certificate signing	`keyCertSign`
keyencrypt, keyencipherment, or keyenciph	Key transport	`keyEncipherment`