One-year SAF server certificate |
This template allows end users to request a
server certificate using native SAF certificate generation facilities
(rather than PKI Services certificate
generation facilities). The certificate is used for handshaking only
(for example, SSL). This certificate is auto-approved. |
One-year SAF browser certificate |
This template allows end users to request a
browser certificate. SAF certificate generation facilities (rather
than PKI Services certificate
generation facilities) create the certificate. The requestor must
input a label (see Table 1 for
descriptions of fields) because the certificate is stored in a RACF® database. This certificate
is auto-approved. |
One-year PKI SSL browser certificate |
This
template allows end users to request a browser certificate that PKI Services generates.
The end user enters the common name. (See Table 1 for descriptions of fields.)
This template contains an ADMINAPPROVE section. Therefore, certificates
requested using this template require administrator approval before
being issued. The user ID and password are not required but the passphrase
is required. |
One-year PKI S/MIME browser certificate |
This template allows end users
to request a browser certificate that PKI Services generates.
This is similar to the one-year PKI SSL browser certificate except
the end user selects AltEmail. |
One-year PKI generated key certificate |
This
template allows end users to request a certificate that PKI Services generates,
with a public key and private key that PKI Services generates.
The user must supply a name, e-mail address, passphrase, and key size.
This template requires administrator approval. You need to assess
the risk of using this template. The requestor provides the transaction
ID and passphrase to retrieve the private key and the certificate.
The transaction ID and the passphrase entered by the requestor can
be shown on the administrator pages. A malicious administrator could
retrieve the certificate and the private key and use them. You should
implement measures to minimize the risk of this happening; for example,
check the log record on the number of retrievals or create an exit
to limit the number of retrievals.
|
Two-year EV SSL server certificate |
This template allows end users to request a
two-year extended validation server certificate. |
Two-year PKI browser certificate for authenticating
to z/OS |
This
template allows end users to request a browser certificate that PKI Services generates. This certificate is similar to the one-year PKI SSL browser
certificate except that it includes the %%HostIdMap%% INSERT
and this certificate is auto-approved. %%HostIdMap%% is
intended as a replacement for adding (and mapping) the certificate
to a RACF user ID.
This
template specifies %%HostIdMap=@ host-name%% and %%UserId%% in
the APPL section. This template does not require administrator approval
but has protection through the user ID and password. (For more information
about %%HostIdMap%%, see the HostIdMap field
in Table 1.)
|
Two-year PKI Authenticode - code signing server
certificate |
This
template allows end users to request a server certificate be used
to sign software that will be downloaded across an untrusted medium.
It also demonstrates how to define extensions for template specific
certificate policies and third party provided OCSP. |
Two-year PKI Windows logon
certificate |
This template allows end users to
request a certificate to use when logging in with a smart card to
a Windows desktop as an Active
Directory user. This template supports requests from both Internet
Explorer and Mozilla-based browsers, and supports the following cryptographic
services providers (CSPs).- Datakey
- Gemplus
- Infineon SICRYPT
- Schlumberger
Support for additional CSPs can be added when you customize the
template. |
Five-year PKI SSL server certificate |
This
template allows end users to request a server certificate that PKI Services generates.
This is similar to the SAF server template except that this template
contains an ADMINAPPROVE section. Therefore, certificates requested
using this template require administrator approval before being issued.
The user ID and password are not required but the passphrase is required. |
Five-year PKI IPSEC server (firewall) certificate |
This template
allows end users to request a server certificate that PKI Services generates.
This is similar to the five-year PKI SSL server certificate except
that KeyUsage constants handshake and dataencrypt are hardcoded. Also,
the end user selects AltEmail, AltIPAddr, AltURI, and AltDomain. |
Five-year PKI intermediate CA server certificate |
This
template allows end users to request a server certificate that PKI Services generates.
This is similar to the PKI SSL server template except that KeyUsage
is hardcoded as certsign. Also, this certificate is auto-approved
(because it runs under the user ID of the requestor, that is the person
requesting this must be highly authorized). The user ID and password
are required, and the units of work should run under the client's
ID. In other words, the end user must be someone who can do this using
RACDCERT alone, that is, must have CONTROL authority to IRR.DIGTCERT.GENCERT,
and so forth. Given this requirement, the administrator need not approve
this. The PassPhrase is required. |
Five-year SCEP certificate - Preregistration |
This
template supports certificate preregistration for Simple Certificate Enrollment Protocol (SCEP) clients.
The PassPhrase is required. |
n-year PKI browser certificate for extensions
demonstration |
This
template creates a browser certificate that has most of its information
provided by the user rather than controlled by the administrator.
The certificate contains all the supported extensions. |