Named fields in INSERT sections

Most of the following fields are X.509 fields. Table 1 summarizes the named fields in INSERT sections. (See Restrictions at the end of the table.)

Table 1. Named fields in INSERT sections
Field	Description
AltDomain	The host name of the machine where a certificate is installed. This is a text field of up to 100 characters. The field can be repeated. Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
AltEmail	The user's email address, including the `@` character and any periods (`.`). This is a text field of up to 100 characters. The field can be repeated. Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
AltIPAddr	The unique IP address that specifies the location of the server or device on the Internet. The field can be repeated. PKI Services supports both IP version 4 and IP version 6 addresses. The IP address is a text field of up to 45 characters. For IP version 4, the IP address is in dotted decimal format; for example, `9.67.97.103`. For IP version 6, the IP address is divided into eight 16-bit hexadecimal blocks separated by colons. Leading zeros in each 16-bit field are optional, and successive fields of zeros can be represented by double colons, but only once; for example `1:2::3:4` is equivalent to `0001:0002:0000:0000:0000:0000:0003:0004`. In a mixed IP version 4 and IP version 6 environment, the IP address can be expressed in the format `x:x:x:x:x:x:d.d.d.d,` where the `x` values are the hexadecimal values of the six high-order 16-bit pieces of the address, and the `d` values are the decimal values of the four low-order 8-bit pieces of the address in standard IP version 4 representation; for example, `0:0:0:0:0:ABCD:1.2.3.4`, or the equivalent value `::ABCD:1.2.3.4` Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
AltOther ¹	A free form value for the other name of the subject's alternate name. Unlike the other INSERTs, you must customize it before you use it. The name of this INSERT consists of the string `AltOther`, concatenated with an underscore (`_`), then followed by the OID, specified in the following format: `AltOther_1_2_3_4_5`. (See Customizing the OtherName field.) You can have more than one input field but the total length of these fields together with the length of the OID and the comma cannot exceed 255 bytes. The resulting AltOther field is built by concatenating the dotted decimal OID that matches the INSERT name, a comma, and the value of the input field. This is a text field of up to 255 characters. Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
AltURI	A name or address referring to an Internet resource; a URL is one type of uniform resource identifier. This is a text field of up to 100 characters. The field can be repeated. Note: The value is one of the list of subject's alternate names that is saved in the subject alternate name extension in the certificate.
BusinessCat	The business category. This is a text field of up to 64 characters. Note: This field is intended for use in certificates that follow the criteria for Extended Validation (EV) certificates. For more information about the criteria, see the Guidelines for Extended Validation Certificates produced by the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
ChallengePassPhrase ¹	The passphrase the user entered when requesting a certificate. The user types the same passphrase, exactly as entered on the request form. This is a case-sensitive text field of up to 32 characters.
ClientName ¹	Name of the person or device being preregistered. This is a text field of up to 64 characters. Restriction: The first 32 characters of the name must be unique, irrespective of case, for each preregistered user.
CommonName	For browser certificates, this is your name, such as John Smith. (You can use your first and last name, in that order.) For server certificates, this is name by which the server's administrator wants it to be known. For SSL servers, the SSL protocol requires the CommonName to be the fully qualified domain name of the server, for example, `www.ibm.com`. CommonName is a text field of up to 64 characters. Although CommonName is a constant, no value is assigned to it. This indicates that RACF® must determine the value. The user authenticates by specifying a user ID and password. (If `UserId` is listed in the APPL section, this means the application provides the user ID and password.) Providing the user ID and password enables RACF to look up the CommonName value in the user's profile. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
Country	The country where your organization is located. This is a 2-character text field. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
CustomExt	A custom certificate extension. Use this field to support extensions that PKI Services does not otherwise support. This is a repeatable field. For more information, see Adding custom extensions to certificates.
DNQualifier¹	The subject's distinguished name qualifier. This is a text field of up to 64 characters.
DomainName¹	The subject's domain name. It contains all the domain name components in the form <domain component1>.<domain component2>. ... .<domain component`n`>. This is a text field of up to 64 characters.
Email ¹	This is a deprecated insert for the email address for the distinguished name; use the Mail insert instead. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
EmailAddr ¹	The email address for the distinguished name. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
ExtKeyUsage ¹	The intended purpose of the certificate. Possible values are: clientauth Client side authentication codesigning Code signing emailprotection Email protection mssmartcardlogon Microsoft Smartcard logon ocspsigning OCSP response signing serverauth Server side authentication timestamping Digital timestamping.
HostIdMap ¹	This is the user ID for authorization purposes, in an email type of format: `subject-id@host-name` For example, this could be `dsmith@ibm.com`. This is a text field of up to 100 characters. There are three ways to use `%%HostIdMap%%`: If you place it in the CONTENT section, the end user can specify the value (or values, because it can be repeated). You can also place it in the APPL section that the application provides. If you do so, it should have the following form: `%%HostIdMap=@host-name%%` The `host-name` is the hardcoded system name for the current system. The application provides the user ID as the user entered it when prompted for user ID and password. Note that, for this to function properly, the IBM® HTTP Server protection scheme for the request must force a prompt for user ID and password. Thus, only one `HostIdMap` is provided using this method. A third way to specify `HostIdMap` is to place `%%HostIdMap%%` in the ADMINAPPROVE section. This allows the administrator to fill in the value when approving the certificate request. See Administering HostIdMappings extensions for more information.
InstallCert	(This field is for the Internet Explorer browser only.) This field contains script for producing a window that installs an automatically-renewed certificate copied from an email notification.
JurCountry	The jurisdiction of incorporation country name. This is a two-character text field. Note: This field is intended for use in certificates that follow the criteria for Extended Validation (EV) certificates. For more information about the criteria, see the Guidelines for Extended Validation Certificates produced by the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
JurLocality	The jurisdiction of incorporation locality name. This is a text field of up to 64 characters. Note: This field is intended for use in certificates that follow the criteria for Extended Validation (EV) certificates. For more information about the criteria, see the Guidelines for Extended Validation Certificates produced by the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
JurStateProv	The jurisdiction of incorporation state or province name. This is a text field of up to 64 characters. Note: This field is intended for use in certificates that follow the criteria for Extended Validation (EV) certificates. For more information about the criteria, see the Guidelines for Extended Validation Certificates produced by the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
KeyProt ¹	(This field is for the Internet Explorer browser only.) This field asks if the user wants to enable strong private key protection. The drop-down choices are `Yes` and `No`.
KeySize	The size of the keys (public key and private key) in bits, if they are to be generated by PKI Services. Valid values for each key type are: RSA 512, 1024, 2048, 4096 NISTECC 192, 224, 256, 384, 521 BPECC 160, 192, 224, 256, 320, 384, 512
KeyUsage	The intended purpose of the certificate. Each possible value is shown in Table 2 with its intended purpose and possible PKIX bits.
Label ²	The label assigned to the requested certificate. This is a text field of up to 32 characters.
Locality	The city or municipality where your organization is located, such as Pittsburgh or Paris. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
Mail ¹	The email address for the distinguished name. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
NotBefore	Number of days (0 - 30) before the certificate becomes valid.
NotAfter	Number of days (1 - 9999) that the certificate is current. For example, 365 for a one-year certificate.
NotifyEmail ¹	The email address for notification purposes. If automatic certificate renewal is in effect, this is the email address to which PKI Services sends the certificate when it is automatically renewed. This is a text field of up to 64 characters. Notes: When a certificate is created and posted to LDAP, the NotifyEmail value, if specified, is posted as the MAIL attribute. If the MAIL attribute already exists in that directory entry, its value is replaced by the new value. If both NotifyEmail and Email appear on one request, they must have the same value. If a certificate for which PKI Services generated the keys is renewed, the NotifyEmail field is ignored, and the renewed certificate is sent to the requestor's email address.
Org	Organization. The legally registered name (or trademark name, for example, IBM) of your organization. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
OrgUnit	The name of your division or department. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
OrgUnit2	The name of your division or department. (There can be more than one organizational unit field on a request form. For example, one could be for your department and another for your division.) This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
PassPhrase ¹	The user decides this and enters and then reenters it when requesting a certificate (and must later supply this value when retrieving the certificate). This is a case-sensitive text field of up to 32 characters. There is no minimum number of characters, and the user can use any characters, but alphanumeric characters (`A` - `Z`, `a` - `z`, and `0` - `9`) are suggested.
PostalCode ¹	The zip code or postal code. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
PublicKey	The base64-encoded #10 certificate request. (This is for server or device enrollment only.) You create a certificate request on behalf of another server (which could be a z/OS® server or other type of server) or device for which you are requesting a certificate. You use software specific to that server to generate the #10 request before going to the PKI Services website. Save the request in a file. Then open the file in a text editor such as Windows Notepad and copy and paste the contents into the text box on the enrollment form. A text area of 70 columns and 12 rows is allocated for this certificate request. Here is an example of the certificate request: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBiDCB8gIBADAZMRcwFQYDVQQDEw5Kb2huIFEuIFB1YmxpYzCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAsCT1cJHAGPqi6OjAyL+xNbt8z5ngmvqO2V0O3oYu /mEnQtRM96e+2jbmDCRo5tWVklG4OYf9ZVB5biURMJFLztfa4AVdEVtun8DH2pwc wiNIZZcC1Zym5adurUmyDk64PgiiIPMQS/t0ttG4c5U8uWSK0b1J4V4f7ps+t1aG t+cCAwEAAaAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0OBBYEFAlKTovBBvnFqDAO 1oIhtRinwRC9MA0GCSqGSIb3DQEBBQUAA4GBAIbCVpwYvppIX3HHmpKZPNY8Snsz AJrDsgAEH51WOIRGywhqKcLLxa9htoQai6cdc8RpFVTwk6UfdCOGxMn4aFb34Tk3 5WYdzOiHXg8MhHiB3EruwdWs+S7Fv3JhU3FLwU6lFLfAjbVi+35iEWQymOR6mE5W CathprmGfKRsDE5E -----END NEW CERTIFICATE REQUEST-----
PublicKeyIE ¹	(This field is for the Internet Explorer browser only.) This is the cryptographic service provider. The user selects a value from a drop-down list (Microsoft Base Cryptographic Provider or Microsoft Enhanced Cryptographic Provider).
PublicKeyNS ¹	(This field is for Mozilla-based browsers only.) This is the key size for your public/private key pair. The user selects a value from the drop-down list. Larger keys are more secure, but they also increase the time needed for connecting to a secure session.
PublicKey2IE	(This field is for the Internet Explorer browser only.) This field is the smart card cryptographic service provider. The user selects a smart card provider from a list.
PublicKey2NS	(This field is for Mozilla-based browsers only.) This field is the keygen HTML tag. It displays a menu of key sizes from which the user must choose one. When the user clicks submit, a key pair of the selected size is generated.
RecoverEmail, RecoverEmail2	This field is used to recover a certificate whose keys were generated by PKI Services. It contains the email address of the requestor.
Requestor ¹	The user's name, which is used for tracking the request. This can be in any format, for example, John Smith or John. J. Smith. (This can differ from the common name, especially if the request is for a server certificate.) The value is saved with the request and issued certificate, but it is not a field in the created certificate. The default value is taken from the leftmost RDN in the subject's distinguished name, truncated to 32 characters.
Requestor2	The email address of the requestor. This field is used to request a certificate with a key pair generated by PKI Services, and to retrieve such a certificate.
Security1, Security 2, … Securityn	Security questions used to assist recovering a certificate whose keys were generated by PKI Services. These fields can be used by the GENCERT, REQCERT and QRECOVER exits. You can have as many of these fields as you want, but the number you have must match the number that your exits handle. The fields should be numbered in order, beginning with Security1.
SerialNumber ¹	Serial number of the subject device. This is a text field of up to 64 characters.
SignWith	For PKI the component and for SAF the component and key-label used to sign this certificate, indicating the provider for certificate generation. This is a text field of up to 45 characters. It can be SAF or PKI Services, as shown in the following examples. Examples: `"SAF:CERTAUTH/Local CA Cert" "PKI:"` For SAF, the label of the signing certificate must be included. The first example shows the SignWith field in a SAF template. It includes the signing certificate, a CERTAUTH certificate labeled `'Local CA Cert'`. For PKI, it is an error to include the signing certificate. The second example shows the SignWith field in a PKI template. Notice that this contains no signing certificate.
StateProv	The state or province where your organization is located. Your registration policies determine whether you spell out the full name of the state or province or use an abbreviation. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
Street ¹	The street address. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
Title	Job title. This is a text field of up to 64 characters. Note: The value is one of the relative distinguished names that is saved in the subject's distinguished name in the certificate.
TransactionId	PKISERV web pages assign this after the user requests a certificate. When it is displayed, the user needs to record this number. This is a text field of up to 56 characters.
Uid ¹	The subject's login ID. This is a text field of up to 64 characters.
UnstructAddr ¹	Unstructured address of the subject device. This is a text field of up to 64 characters.
UnstructName ¹	Unstructured device name. This is a text field of up to 64 characters.
UserId	The owning SAF user ID. This is a text field of up to 8 characters.

Restrictions:

This field is applicable for only PKI certificates (certificates using the PKI: value in the SignWith field).
This field is applicable for only SAF certificates (certificates using the SAF: value in the SignWith field).

Table 2. KeyUsage values and their intended purpose and possible PKIX bits
KeyUsage value	Intended purpose	PKIX bits
certsign	Certificate and CRL signing	`KeyCertSign` and `cRLSign`
crlsign	CRL signing	`cRLSign`
dataencrypt, dataencipherment, or dataenciph	Data encryption	`dataEncipherment`
digitalsig or digitalsignature	Authentication	`digitalSignature`
docsign or nonrepudiation	Document signing	`nonRepudiation`
handshake	Protocol handshaking (for example, SSL)	`digitalSignature` and `keyEncipherment`
keyagree or keyagreement	Key agreement	`keyAgreement`
keycertsign	Certificate signing	`keyCertSign`
keyencrypt, keyencipherment, or keyenciph	Key transport	`keyEncipherment`

Note: If certsign, crlsign, or keycertsign is specified, the certificate is created with the basic constraints extension to indicate that it is a certificate authority certificate, in addition to the key usage extension.