Templates that PKI Services provides
PKI Services provides
the templates to request the following certificates:
- One-year SAF server certificate
- One-year SAF browser certificate
- One-year PKI SSL browser certificate (See Figure 1 to see a sample of this web page.)
- One-year PKI SSL S/MIME browser certificate
- One-year PKI generated key certificate
- Two-year EV SSL server certificate
- Two-year PKI browser certificate for authenticating to z/OS®
- Two-year PKI Authenticode - code signing server certificate
- Two-year PKI Windows logon certificate
- Five-year PKI SSL server certificate
- n-year PKI browser certificate for extensions demonstration
- Five-year SCEP certificate - Preregistration
- Five-year PKI IPSEC server (firewall) certificate
- Five-year PKI intermediate CA server certificate
The following table describes the certificate templates that PKI Services provides:
| Certificate template | Description |
|---|---|
| One-year SAF server certificate | This template allows end users to request a server certificate using native SAF certificate generation facilities (rather than PKI Services certificate generation facilities). The certificate is used for handshaking only (for example, SSL). This certificate is auto-approved. |
| One-year SAF browser certificate | This template allows end users to request a browser certificate. SAF certificate generation facilities (rather than PKI Services certificate generation facilities) create the certificate. The requestor must input a label (see Table 1 for descriptions of fields) because the certificate is stored in a RACF® database. This certificate is auto-approved. |
| One-year PKI SSL browser certificate | This template allows end users to request a browser certificate that PKI Services generates. The end user enters the common name. (See Table 1 for descriptions of fields.) This template contains an ADMINAPPROVE section. Therefore, certificates requested using this template require administrator approval before being issued. The user ID and password are not required but the passphrase is required. |
| One-year PKI S/MIME browser certificate | This template allows end users to request a browser certificate that PKI Services generates. This is similar to the one-year PKI SSL browser certificate except the end user selects AltEmail. |
| One-year PKI generated key certificate | This
template allows end users to request a certificate that PKI Services generates,
with a public key and private key that PKI Services generates.
The user must supply a name, email address, passphrase, and key size.
This template requires administrator approval. You need to assess the risk of using this template. The requestor provides the transaction ID and passphrase to retrieve the private key and the certificate. The transaction ID and the passphrase entered by the requestor can be shown on the administrator pages. A malicious administrator could retrieve the certificate and the private key and use them. You should implement measures to minimize the risk of this happening; for example, check the log record on the number of retrievals or create an exit to limit the number of retrievals. |
| Two-year EV SSL server certificate | This template allows end users to request a two-year extended validation server certificate. |
| Two-year PKI browser certificate for authenticating to z/OS | This
template allows end users to request a browser certificate that PKI Services generates. This certificate is similar to the one-year PKI SSL browser
certificate except that it includes the %%HostIdMap%% INSERT
and this certificate is auto-approved. %%HostIdMap%% is intended as a replacement for adding (and mapping) the certificate to a RACF user ID. This template specifies %%HostIdMap=@ host-name%% and %%UserId%% in the APPL section. This template does not require administrator approval but has protection through the user ID and password. (For more information about %%HostIdMap%%, see the HostIdMap field in Table 1.) |
| Two-year PKI Authenticode - code signing server certificate | This template allows end users to request that a server certificate be used to sign software that is downloaded across an untrusted medium. It also demonstrates how to define extensions for template specific certificate policies and third party-provided OCSP. |
| Two-year PKI Windows logon certificate | This template allows end users to
request a certificate to use when logging in with a smart card to
a Windows desktop as an Active
Directory user. This template supports requests from both Internet
Explorer and Mozilla-based browsers, and supports the following cryptographic
services providers (CSPs).
|
| Five-year PKI SSL server certificate | This template allows end users to request a server certificate that PKI Services generates. This is similar to the SAF server template except that this template contains an ADMINAPPROVE section. Therefore, certificates requested using this template require administrator approval before being issued. The user ID and password are not required but the passphrase is required. |
| Five-year PKI IPSEC server (firewall) certificate | This template allows end users to request a server certificate that PKI Services generates. This is similar to the five-year PKI SSL server certificate except that KeyUsage constants handshake and dataencrypt are hardcoded. Also, the end user selects AltEmail, AltIPAddr, AltURI, and AltDomain. |
| Five-year PKI intermediate CA server certificate | This template allows end users to request a server certificate that PKI Services generates. This is similar to the PKI SSL server template except that KeyUsage is hardcoded as certsign. Also, this certificate is auto-approved (because it runs under the user ID of the requestor, that is the person requesting this must be highly authorized). The user ID and password are required, and the units of work should run under the client's ID. In other words, the end user must be someone who can do this using RACDCERT alone, that is, must have CONTROL authority to IRR.DIGTCERT.GENCERT, and so forth. Given this requirement, the administrator need not approve this. The PassPhrase is required. |
| Five-year SCEP certificate - Preregistration | This template supports certificate preregistration for Simple Certificate Enrollment Protocol (SCEP) clients. The PassPhrase is required. |
| n-year PKI browser certificate for extensions demonstration | This template creates a browser certificate that has most of its information provided by the user rather than controlled by the administrator. The certificate contains all the supported extensions. |