Named fields in INSERT sections
Field | Description |
---|---|
AltDomain | The host name of the machine where a certificate is
installed. This is a text field of up to 100 characters. The field
can be repeated. Note: The value is one of the list of subject's alternate
names that is saved in the subject alternate name extension in the
certificate.
|
AltEmail | The user's email address, including the @ character
and any periods (.). This is a text field of up to
100 characters. The field can be repeated. Note: The value is one of the list
of subject's alternate names that is saved in the subject alternate
name extension in the certificate.
|
AltIPAddr | The unique IP address that specifies the location
of the server or device on the Internet. The field can be repeated. PKI Services supports
both IP version 4 and IP version 6 addresses. The IP address is a text field
of up to 45 characters.
Note: The value is one of the list of subject's alternate names
that is saved in the subject alternate name extension in the certificate.
|
AltOther 1 | A free form value for the other name of the
subject's alternate name. Unlike the other INSERTs, you must customize
it before you use it. The name of this INSERT consists of the string AltOther,
concatenated with an underscore (_), then followed
by the OID, specified in the following format: AltOther_1_2_3_4_5.
(See Customizing the OtherName field.) You can have more than one input field but the total length of these fields together with the length of the OID and the comma cannot exceed 255 bytes. The resulting AltOther field is built by concatenating the dotted decimal OID that matches the INSERT name, a comma, and the value of the input field. This is a text field of up to 255 characters. Note: The value is one of the list
of subject's alternate names that is saved in the subject alternate
name extension in the certificate.
|
AltURI | A name or address referring to an Internet resource;
a URL is one type of uniform resource identifier. This is a text field
of up to 100 characters. The field can be repeated. Note: The value
is one of the list of subject's alternate names that is saved in the
subject alternate name extension in the certificate.
|
BusinessCat | The business category. This is a text field
of up to 64 characters. Note: This field is intended for
use in certificates that follow the criteria for Extended Validation
(EV) certificates. For more information about the criteria, see the
Guidelines for Extended Validation Certificates produced by the CA/Browser
Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
ChallengePassPhrase 1 | The passphrase the user entered when requesting a certificate. The user types the same passphrase, exactly as entered on the request form. This is a case-sensitive text field of up to 32 characters. |
ClientName 1 | Name of the person or device being preregistered. This
is a text field of up to 64 characters. Restriction: The first 32 characters of the name must be unique, irrespective of case, for each preregistered user. |
CommonName | For browser certificates, this is your name,
such as John Smith. (You can use your first and last name, in that
order.) For server certificates, this is name by which the server's
administrator wants it to be known. For SSL servers, the SSL protocol
requires the CommonName to be the fully qualified domain name of the
server, for example, www.ibm.com. CommonName is a text field
of up to 64 characters. Although CommonName is a constant, no value is assigned to it. This indicates that RACF® must determine the value. The user authenticates by specifying a user ID and password. (If UserId is listed in the APPL section, this means the application provides the user ID and password.) Providing the user ID and password enables RACF to look up the CommonName value in the user's profile. Note: The value is one of the relative
distinguished names that is saved in the subject's distinguished name
in the certificate.
|
Country | The country where your organization is located. This
is a 2-character text field. Note: The value is one of the relative
distinguished names that is saved in the subject's distinguished name
in the certificate.
|
CustomExt | A custom certificate extension. Use this field to support extensions that PKI Services does not otherwise support. This is a repeatable field. For more information, see Adding custom extensions to certificates. |
DNQualifier1 | The subject's distinguished name qualifier. This is a text field of up to 64 characters. |
DomainName1 | The subject's domain name. It contains all the domain name components in the form <domain component1>.<domain component2>. ... .<domain componentn>. This is a text field of up to 64 characters. |
Email 1 | This is a deprecated insert for the email address
for the distinguished name; use the Mail insert instead. This is a text field
of up to 64 characters. Note: The value is one of the relative distinguished
names that is saved in the subject's distinguished name in the certificate.
|
EmailAddr 1 | The email address for the distinguished name. This
is a text field of up to 64 characters. Note: The value is one of
the relative distinguished names that is saved in the subject's distinguished
name in the certificate.
|
ExtKeyUsage 1 | The intended purpose of the certificate. Possible
values are:
|
HostIdMap 1 | This is the user ID for authorization purposes,
in an email type of format:
For
example, this could be dsmith@ibm.com. This is a text field
of up to 100 characters.There are three ways to use %%HostIdMap%%:
|
InstallCert | (This field is for the Internet Explorer browser only.) This field contains script for producing a window that installs an automatically-renewed certificate copied from an email notification. |
JurCountry | The jurisdiction of incorporation country name. This
is a two-character text field. Note: This field is intended
for use in certificates that follow the criteria for Extended Validation
(EV) certificates. For more information about the criteria, see the
Guidelines for Extended Validation Certificates produced by the CA/Browser
Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
JurLocality | The jurisdiction of incorporation locality name. This
is a text field of up to 64 characters. Note: This field
is intended for use in certificates that follow the criteria for Extended
Validation (EV) certificates. For more information about the criteria,
see the Guidelines for Extended Validation Certificates produced by
the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
JurStateProv | The jurisdiction of incorporation state or province
name. This is a text field of up to 64 characters. Note: This field
is intended for use in certificates that follow the criteria for Extended
Validation (EV) certificates. For more information about the criteria,
see the Guidelines for Extended Validation Certificates produced by
the CA/Browser Forum, at http://www.cabforum.org/Guidelines_v1_3.pdf.
|
KeyProt 1 | (This field is for the Internet Explorer browser only.) This field asks if the user wants to enable strong private key protection. The drop-down choices are Yes and No. |
KeySize | The size of the keys (public key and private
key) in bits, if they are to be generated by PKI Services. Valid
values for each key type are:
|
KeyUsage | The intended purpose of the certificate. Each possible value is shown in Table 2 with its intended purpose and possible PKIX bits. |
Label 2 | The label assigned to the requested certificate. This is a text field of up to 32 characters. |
Locality | The city or municipality where your organization
is located, such as Pittsburgh or Paris. This is a text field of up
to 64 characters. Note: The value is one of the relative distinguished
names that is saved in the subject's distinguished name in the certificate.
|
Mail 1 | The email address for the distinguished name. This
is a text field of up to 64 characters. Note: The value is one of
the relative distinguished names that is saved in the subject's distinguished
name in the certificate.
|
NotBefore | Number of days (0 - 30) before the certificate becomes valid. |
NotAfter | Number of days (1 - 9999) that the certificate is current. For example, 365 for a one-year certificate. |
NotifyEmail 1 | The email address for notification purposes.
If automatic certificate renewal is in effect, this is the email address
to which PKI Services sends
the certificate when it is automatically renewed. This is a text field
of up to 64 characters. Notes:
|
Org | Organization. The legally registered name (or
trademark name, for example, IBM)
of your organization. This is a text field of up to 64 characters. Note: The
value is one of the relative distinguished names that is saved in
the subject's distinguished name in the certificate.
|
OrgUnit | The name of your division or department. This
is a text field of up to 64 characters. Note: The value is one of
the relative distinguished names that is saved in the subject's distinguished
name in the certificate.
|
OrgUnit2 | The name of your division or department. (There
can be more than one organizational unit field on a request form.
For example, one could be for your department and another for your
division.) This is a text field of up to 64 characters. Note: The
value is one of the relative distinguished names that is saved in
the subject's distinguished name in the certificate.
|
PassPhrase 1 | The user decides this and enters and then reenters it when requesting a certificate (and must later supply this value when retrieving the certificate). This is a case-sensitive text field of up to 32 characters. There is no minimum number of characters, and the user can use any characters, but alphanumeric characters (A - Z, a - z, and 0 - 9) are suggested. |
PostalCode 1 | The zip code or postal code. This is a text field
of up to 64 characters. Note: The value is one of the relative distinguished
names that is saved in the subject's distinguished name in the certificate.
|
PublicKey | The base64-encoded #10 certificate request. (This is for server or
device enrollment only.) You create a certificate request on behalf
of another server (which could be a z/OS® server or
other type of server) or device for which you are requesting a certificate.
You use software specific to that server to generate the #10 request before going
to the PKI Services website.
Save the request in a file. Then open the file in a text editor such
as Windows Notepad and copy and
paste the contents into the text box on the enrollment form. A text
area of 70 columns and 12 rows is allocated for this certificate request.
Here is an example of the certificate request:
|
PublicKeyIE 1 | (This field is for the Internet Explorer browser only.) This is the cryptographic service provider. The user selects a value from a drop-down list (Microsoft Base Cryptographic Provider or Microsoft Enhanced Cryptographic Provider). |
PublicKeyNS 1 | (This field is for Mozilla-based browsers only.) This is the key size for your public/private key pair. The user selects a value from the drop-down list. Larger keys are more secure, but they also increase the time needed for connecting to a secure session. |
PublicKey2IE | (This field is for the Internet Explorer browser only.) This field is the smart card cryptographic service provider. The user selects a smart card provider from a list. |
PublicKey2NS | (This field is for Mozilla-based browsers only.) This field is the keygen HTML tag. It displays a menu of key sizes from which the user must choose one. When the user clicks submit, a key pair of the selected size is generated. |
RecoverEmail, RecoverEmail2 | This field is used to recover a certificate whose keys were generated by PKI Services. It contains the email address of the requestor. |
Requestor 1 | The user's name, which is used for tracking the request. This can be in any format, for example, John Smith or John. J. Smith. (This can differ from the common name, especially if the request is for a server certificate.) The value is saved with the request and issued certificate, but it is not a field in the created certificate. The default value is taken from the leftmost RDN in the subject's distinguished name, truncated to 32 characters. |
Requestor2 | The email address of the requestor. This field is used to request a certificate with a key pair generated by PKI Services, and to retrieve such a certificate. |
Security1, Security 2, … Securityn | Security questions used to assist recovering a certificate whose keys were generated by PKI Services. These fields can be used by the GENCERT, REQCERT and QRECOVER exits. You can have as many of these fields as you want, but the number you have must match the number that your exits handle. The fields should be numbered in order, beginning with Security1. |
SerialNumber 1 | Serial number of the subject device. This is a text field of up to 64 characters. |
SignWith | For PKI the component and for SAF the component
and key-label used to sign this certificate, indicating the provider
for certificate generation. This is a text field of up to 45 characters.
It can be SAF or PKI Services, as shown in the following examples. Examples:
For SAF, the label of the signing certificate must be included. The first example shows the SignWith field in a SAF template. It includes the signing certificate, a CERTAUTH certificate labeled 'Local CA Cert'. For PKI, it is an error to include the signing certificate. The second example shows the SignWith field in a PKI template. Notice that this contains no signing certificate. |
StateProv | The state or province where your organization
is located. Your registration policies determine whether you spell
out the full name of the state or province or use an abbreviation. This
is a text field of up to 64 characters. Note: The value is one of
the relative distinguished names that is saved in the subject's distinguished
name in the certificate.
|
Street 1 | The street address. This is a text field of
up to 64 characters. Note: The value is one of the relative distinguished
names that is saved in the subject's distinguished name in the certificate.
|
Title | Job title. This is a text field of up to 64
characters. Note: The value is one of the relative distinguished names
that is saved in the subject's distinguished name in the certificate.
|
TransactionId | PKISERV web pages assign this after the user requests a certificate. When it is displayed, the user needs to record this number. This is a text field of up to 56 characters. |
Uid 1 | The subject's login ID. This is a text field of up to 64 characters. |
UnstructAddr 1 | Unstructured address of the subject device. This is a text field of up to 64 characters. |
UnstructName 1 | Unstructured device name. This is a text field of up to 64 characters. |
UserId | The owning SAF user ID. This is a text field of up to 8 characters. |
- This field is applicable for only PKI certificates (certificates using the PKI: value in the SignWith field).
- This field is applicable for only SAF certificates (certificates using the SAF: value in the SignWith field).
KeyUsage value | Intended purpose | PKIX bits |
---|---|---|
certsign | Certificate and CRL signing | KeyCertSign and cRLSign |
crlsign | CRL signing | cRLSign |
dataencrypt, dataencipherment, or dataenciph | Data encryption | dataEncipherment |
digitalsig or digitalsignature | Authentication | digitalSignature |
docsign or nonrepudiation | Document signing | nonRepudiation |
handshake | Protocol handshaking (for example, SSL) | digitalSignature and keyEncipherment |
keyagree or keyagreement | Key agreement | keyAgreement |
keycertsign | Certificate signing | keyCertSign |
keyencrypt, keyencipherment, or keyenciph | Key transport | keyEncipherment |