Parent class—X509 Certificate Base

Contains X.509 fields and attributes that describe a certificate.

X509 Certificate Base attributes

Attribute

Description

Adaptable CA specific attributes

Policy Definable: NA. Default: NA

Adaptable Workflow Approvers

UI: Specified Approvers
Required: Yes

Policy Definable: No. Default: NA

One or more identities that can approve the workflow.

Adaptable Workflow Reference ID

UI: NA
Required: No

Policy Definable: No. Default: NA

For internal use.

Adaptable Workflow Stage

UI: If Stage is
Required: Yes

Policy Definable: No. Default: NA

Applies the workflow actions at the designated stage of the object lifecycle.

Address

UI: Address
Required: No

Policy Definable: Yes. Default: NA

The street address that appears as part of the Subject DN of the certificate.

Allow Private Key Reuse

UI: Reuse Private Keys for Service Generated CSRs
Required: No

Policy Definable: Yes. Default: 0

While renewing a X509 certificate, manage the private key:

  • 0 = Generate a new private key.
  • 1 = Reuse the old private key.

Amazon CA specific attributes

Policy Definable: No. Default: NA

Approved Issuer

UI: NA
Required: No

Policy Definable: Yes. Default: NA

A list of DNs that show which CAs are allowed to issue certificates.

Approver

UI: Approver(s)
Required: No

Policy Definable: Yes. Default: NA

One or more user or group identities who are authorized to approve a workflow related to the object. Values are prefixed universals with one of the following formats:

  • local:<universal identifier>
  • AD+<friendly name>:<universal identifier>
  • LDAP+<friendly name>:<universal identifier>

Certificate Authority

UI: CA Template
Required: No

Policy Definable: Yes. Default: NA

The DN of the Certificate Authority (CA) template object to enroll the next version of the certificate.

Certificate Download: PBES2 Algorithm

UI: Private Key PBE (password-based encryption) Algorithm
Required: No

Policy Definable: Yes. Default: NA

The download format of the private key. One of the following Password-Based Cryptography Specification Version 2.0 (PBES2) values:

  • MD5/DES = Insecure, maximum compatibility.
  • SHA1/3DES = Insecure, less compatibility.
  • SHA256/AES256 = most secure, least compatibility.

Certificate Process Validator

UI: NA
Required: No

Policy Definable: No. Default: NA

The driver name that performs additional CSR actions before and after certificate enrollment.

Certificate Vault Id

UI: NA
Required: Yes

Policy Definable: No. Default: NA

A number that uniquely identifies the current version of the certificate that is in the vault.

City

UI: City
Required: No

Policy Definable: Yes. Default: NA

The city name that appears as part of the Subject DN of the certificate. This field is also known as the locale.

Sectigo Certificate Manager CA specific attributes

Policy Definable: NA. Default: NA

Formerly Commodo

Consumers

UI: Associations
Required: No

Policy Definable: No. Default: NA

The DN of the Application object that is associated with the certificate. If the certificate has multiple Application objects, more than one value is present.

When updating the value, be sure to change the Certificate attribute of the associated Application object.

Country

UI: Country
Required: No

Policy Definable: Yes. Default: NA

The two character country code that appears as part of the Subject DN of the certificate. For a list of valid country codes see Country codes.

Created By

UI: Created By
Required: No

Policy Definable: No. Default: NA

The process or application that added the Certificate object to Trust Protection Platform. The certificate originated from:

  • Agent Discovery = Another device as reported by an agent.

  • Network Discovery = Placement engine.

  • Network Discovery (Manual Placement) = Manual discovery. For example, a person ran an instant Discovery and manages the certificate in the UI.
  • Onboard Discovery = An Onboard Discovery.

CSR Thumbprint

UI: NA
Required: No

Policy Definable: No. Default: NA

Confirms that the CSR was successfully created.

CSR Vault Id

UI: NA
Required: No

Policy Definable: No. Default: NA

A number that uniquely identifies the CSR in the vault that Trust Protection Platform used (or will use) to enroll the certificate.

DigiCert CA specific attributes

Policy Definable: NA. Default: NA

 

Disable Automatic Renewal

UI: Disable Automatic Renewal
Required: No

Policy Definable: Yes. Default: 0

Applies when the Management Type is Enrollment or Provisioning. The means for renewing a certificate:

  • 0 = Automatically begin certificate lifecycle processing when the certificate reaches its Renewal Window.
  • 1 = Bypass the certificate lifecycle when the certificate reaches its Renewal Window.

Disable Password Complexity

UI: Disable Password Complexity
Required: No

Policy Definable: Yes. Default: 0

Password complexity for private key downloads. For an example of complexity requirements, see Extracting and downloading PEM contents into separate files.

  • 0 = Enable password complexity for all downloads.
  • 1 = Disable password complexity for downloads.

Discovered BY DN

UI: NA
Required: No

Policy Definable: No. Default: NA

The Distinguished Name (DN) of the device that ran discovery.

Discovered On

UI: NA
Required: No

Policy Definable: No. Default: NA

For internal discovery placement use only. A string that maps to a unique instance and describes where the certificate was discovered.

Domain Suffix Whitelist

UI: Allowed Domains
Required: No

Policy Definable: Yes. Default: NA

The allowed list of domain suffixes that are acceptable in new certificate requests. For example, mydomain.com sales.usa.com.

Elliptic Curve

UI: NA
Required: No

Policy Definable: Yes. Default: NA

The National Institute of Standards and Technology (NIST) curve algorithm. For example, 256P.

Encryption Driver

UI: Key Generation
Required: No

Policy Definable: Yes. Default: Software

The key name that Trust Protection Platform will use when generating encryption keys for certificates. Software is currently the only value allowed.

Enforce Unique Subject

UI: Allow duplicate Common and Subject Alternate Names
Required: No

Policy Definable: Yes. Default: 0

Determines whether the certificate can use the Common Name (CN) as the SAN Domain Name Server (DNS) name. For new or renewed certificates:

  • 0 = Allow CN and SAN DNS names to be the same.
  • 1 = Require CN and SAN DNS names to be different.

Entrust PKI Gateway:Early Private Key Vault ID

UI: NA
Required: No

Policy Definable: No. Default: NA

Internal

Entrust PKI Gateway:Early X509 Vault ID

UI: NA
Required: No

Policy Definable: No. Default: NA

Internal

EntrustNET and ESM CA specific attributes

Policy Definable: NA. Default: NA

 

Escalation Notice Interval

UI: Send event every (days)
Required: No

Policy Definable: Yes. Default: 1

The number of elapsed days between sending escalated expiration events for the certificate.

Escalation Notice Start

UI: Start escalating events (days)
Required: No

Policy Definable: Yes. Default: 15

The number of days, prior to the expiration date of a certificate, to begin logging escalated expiration events.

EST ReEnrollment In Progress

UI: NA
Required: No

Policy Definable: No. Default: NA

The status of a certificate re-enrollment that occurred via an Enrollment over Secure Transport (EST).

Expiration Notice Interval

UI: Send event every (days)
Required: No

Policy Definable: Yes. Default: 1

The number of days that elapse between sending expiration events for the certificate.

Expiration Notice Start

UI: Start generating events (days)
Required: No

Policy Definable: Yes. Default: 30

The number of days, prior to the expiration date of a certificate, to begin logging expiration events.

Fields

UI: Custom Fields
Required: No

Policy Definable: Yes. Default: NA

An identifier-value pair for a custom field.

Generate Keypair on Application

UI: Generate Key/CSR on Application
Required: No

Policy Definable: Yes. Default: 0

The location where the CSR and the private key generate:

  • 0 = On the application server. Archive both in the Trust Protection Platform database.
  • 1 = On the remote host. Archive both in the Trust Protection Platform database. Works when:
    • The driver supports remote generation.

    • The certificate is not self-signed. It can only be associated with one Application object.
    •  The Management Type is Provisioning.

GeoTrust CA:

UI: (All fields)
Required: No

Policy Definable: No. Default: NA

Deprecated.

Given Name

UI: NA
Required: No

Policy Definable: No. Default: NA

The certificate approver's first name.

GlobalSign CA specific attributes

Policy Definable: NA. Default: NA

Grouping Id

UI: Group Id
Required: No

Policy Definable: Yes. Default: No

The identifier that groups related log events together.

In Error

UI: NA
Required: No

Policy Definable: No. Default: 0

Set internally by Trust Protection Platform:

  • 0 = No errors.
  • 1 = Error. A management operation failed and no further processing for this certificate will occur.

In Process

UI: NA
Required: No

Policy Definable: No. Default: NA

The process state of the CSR.

Internet Email Address

UI: Email
Required: No

Policy Definable: No. Default: NA

The email address that appears as part of the Subject DN of the certificate.

Issued to

UI: NA
Required: No

Policy Definable: No. Default: NA

The name or company who received the certificate.

Key Algorithm

UI: Hash Algorithm
Required: No

Policy Definable: Yes. Default: NA

For the CSR, choose SHA-256, SHA-384, or SHA-512.

Key Bit Strength

UI: Key Strength (Bits)
Required: No

Policy Definable: Yes. Default: NA

The bit length of the key to be generated for the next version of the certificate. Valid values are: 512, 1024, 2048, and 4096.

Key Storage Location

UI: NA
Required: Yes

Policy Definable: No. Default: NA

The HSM connector name in CodeSign Protect.

Keynectis Sequoia CA:Fields

UI: NA
Required: No

Policy Definable: No. Default: NA

Deprecated

Last Evaluated On

UI: Last Check
Required: No

Policy Definable: No. Default: NA

The date and time of the most recent SSL/TLS certificate validation.

Last Notification

UI: NA
Required: No

Policy Definable: No. Default: NA

The date and time of the most recent Trust Protection Platform notification for this certificate.

Last Renewed By

UI: NA
Required: No

Policy Definable: No. Default: NA

The Trust Protection Platform identity who made the most recent certificate change.

Last Renewed On

UI: NA
Required: No

Policy Definable: No. Default: NA

The date and time of the most recent certificate renewal.

Last Validation State Update

UI: NA
Required: No

Policy Definable: No. Default: NA

The date and time of the most recent certificate change.

License Count

UI: NA
Required: Yes

Policy Definable: No. Default: NA

The number of servers that can host the certificate. If a CA requires a license for each installed instance, this value must match the number of instances. Applies to Comodo, Entrust Certificate Services CAs.

Management Type Management Type No

UI: NA
Required: No

Policy Definable: Yes. Default: Monitoring

The management type of the certificate. Valid values are: Monitoring, Enrollment, and Provisioning.

Manual Approval

UI: Manual Approval
Required: No

Policy Definable: Yes. Default: 0

The setting to manage approvals for issuing new or renewed certificates:

  • 0= Automatic approval.
  • 1 = Manual approval by a person is required.

Manual Csr

UI: CSR Generation
Required: No

Policy Definable: Yes. Default: 0

The setting to manage Certificate Signing Request (CSR)s:

  • 0 = Allow a Service Generated CSR. Use this setting when a certificate is associated with multiple applications. Allows the system to push the private key to multiple applications.
  • 1 = Require a user to provide a CSR.

Microsoft CA specific attributes

Policy Definable: NA. Default: NA

Network Validation Disabled

UI: Disable Network Validation
Required: No

Policy Definable: Yes. Default: 0

The setting for network validation:

  • 0 = Validate by making an SSL/TLS connection to the managed device.
  • 1 = Disable network validation.

OpenTrust Enterprise PKI CA specific attributes

Policy Definable: NA. Default: NA

Options

UI: NA
Required: No

Policy Definable: Yes. Default: NA

The source of the CSR on this certificate:

  • CSR Needed = Issue a new CSR.
  • Last CSR Was Service Generated = Use the previous.

Organization

UI: Organization
Required: No

Policy Definable: Yes. Default: NA

The Organization (O) name that appears as part of the Subject DN of the certificate.

Organizational Unit

UI: Organizational Unit
Required: No

Policy Definable: Yes. Default: NA

The Organizational Unit (OU) name that appears as part of the Subject DN of the certificate.

Origin

UI: NA
Required: No

Policy Definable: No. Default: NA

The friendly name of the system requesting the certificate.

PKCS10 Hash Algorithm
UI: PKCS10 Hash Algorithm
Required: No

Policy Definable: Yes. Default: NA

The algorithm used to sign and create the CSR. The certificate algorithm is finalized by the CA when it signs the CSR: Sha1, Sha256, Sha384, or Sha512.

Postal Code

UI: Postal Code
Required: Yes

Policy Definable: Yes. Default: NA

The postal or zip code of the certificate.

Private Key Vault Id

UI: NA
Required: No*

Policy Definable: No. Default: NA

A number that uniquely identifies the private key stored in the vault and corresponds to the current version of the certificate. Required when the certificate provisioning mode is:

  • agent: Use an agent to provision.
  • agentless: Generate Keypair on Application' is null or zero.

Prohibit Wildcard

UI: Prohibit Wildcard
Required: No

Policy Definable: Yes. Default: 0

The setting to control the use of the asterisk (*) for wild cards on a CN:

  • 0 = Allow wild cards to renew, enroll, or upload a X509 certificate object.
  • 1 = Prohibit wildcard certificates to renew, enroll, or upload a X509 certificate object.

Prohibited Subject Attributes

UI: Prohibited Subject Attributes
Required: Yes

Policy Definable: Yes. Default: NA

The set of prohibited certificate Subject attributes.

Protection Key

UI: NA
Required: Yes

Policy Definable: No. Default: Software

The key name to secure the private key in Secret Store.

Public Key Vault Id

UI: NA
Required: No

Policy Definable: No. Default: NA

The Vault ID of the public key.

Renewal Window

UI: Renewal Window
Required: No

Policy Definable: Yes. Default: 30

The number of days, prior certificate expiration, when automatic renewal should begin. This attribute is ignored when Disable Automatic Renewal is 1.

Reverse DC Order

UI: NA
Required: No

Policy Definable: Yes. Default: NA

Sets the order of the domain component (DC) association for the Secret Store.

Revocation Check Disabled

UI: Revocation Check Disabled
Required: No

Policy Definable: Yes. Default: NA

Monitor for revoked certificates:

  • No = Monitor for revoked certificates:
  • Yes = Disable monitoring for revoked certificates.

Revocation Check In Error

UI: Revocation Check In Error
Required: No

Policy Definable: Yes. Default: 0

Set internally by Trust Protection Platform

  • 0 = No errors.
  • 1 = Error. A revocation checking operation failed for this certificate.

Revocation Check Last Checked

UI: Revocation Check Last Checked
Required: No

Policy Definable: Yes. Default: NA

The date at time of Trust Protection Platform verified that this certificate is active and not revoked.

Revocation Check Status

UI: Revocation Check Status
Required: No

Policy Definable: Yes. Default: NA

The status of a revoked certificate:

  • None = No status has been set.
  • Failed = Revocation failed.
  • Pending = Revocation is pending.
  • Complete = Revocation is complete.
  • Confirmed = Revoked by CA and confirmed on certificate revocation lists or an Online Certificate Status Protocol (OCSP) reply.

Revocation Original Request

UI: Revocation Original Request
Required: No

Policy Definable: Yes. Default: NA

The ability to show the certificate revocation request.

Revocation Request

UI: NA
Required: No

Policy Definable: No. Default: NA

The Vault ID of the certificate that Trust Protection Platform should revoke as soon as the engine is able to do so. Also includes the Revocation Reason and Comments to send to the CA at the time of revocation.

Syntax: <Vault ID>|<Revocation Reason>|<Comment>

Example: 12345|Superceded|Replaced by new cert

Scep Transaction Id

UI: NA
Required: Yes

Policy Definable: No. Default: NA

The Simple Certificate Enrollment Protocol (SCEP) for a mobile device certificate.

Server Type

UI: Server Type
Required: Yes

Policy Definable: Yes. Default: NA

The CA specific attribute for renewal or enrollment. A predefined server type.

Signing Request Subject

UI: NA
Required: No

Policy Definable: No. Default: NA

Set internally by Trust Protection Platform. Used internally to store the Subject DN of the last CSR that was used to enroll with the CA.

Specific End Date

UI: Expiration
Required: No

Policy Definable: No. Default: NA

The certificate validity period.

Stage

UI: NA
Required: No

Policy Definable: No. Default: NA

Set internally by Trust Protection Platform. The current lifecycle process stage of the certificate.

State

UI: State/Province
Required: No

Policy Definable: Yes. Default: NA

The state (ST) name that appears as part of the Subject DN of the certificate.

Status

UI: NA
Required: No

Policy Definable: No. Default: NA

Set internally by Trust Protection Platform. The current status of processing for the application. Values may include an error message, an indication that processing has stopped pending workflow approval, or some other status. The absence of this attribute indicates an OK status.

SID Extension:Value

UI: AD Security Identifier source
- Look up SID from AD Identity
- Enter SID manually
Required: No

Policy Definable: Yes. Default: NA

Contains SID (AD Security Identifier) value or AD identity (prefixed universal) to resolve the SID value from. This attribute is used for service-generated CSRs.

SID Extension:Effective Value

UI: NA
Required: No

Policy Definable: Yes. Default: NA

Is set when certificate issuance is in progress and contains effective SID (AD Security Identifier) value. Format is: “value;identity”. Identity format is prefixed universal. Attribute is read-only and is overwritten by Certificate Manager on every issuance and renewal.

Surname

UI: Last Name
Required: No

Policy Definable: Yes. Default: NA

The last name of a person that is collected by the CA at the time of enrollment.

Symantec LHK CA

UI: NA
Required: No

Policy Definable: No. Default: NA

Deprecated as of 21.3. However the database column may still be present. in the database.

Symantec MPKI CA specific attributes

Policy Definable: No. Default: NA

Deprecated as of 21.3. However the database column may still be present. in the database.

Telephone

UI: Telephone
Required: No

Policy Definable: Yes. Default: NA

The contact's telephone number for this certificate.

Thawte CA

UI: NA
Required: No

Policy Definable: No. Default: NA

Deprecated

Transaction Id

UI: NA
Required: No

Policy Definable: No. Default: NA

Set internally by Trust Protection Platform. The identifier that the CA issued during the last CSR.

Trusted Status

UI: NA
Required: No

Policy Definable: No. Default: NA

The status of the certificate trust bundle.

VikingCloud CA specific attributes

Policy Definable: NA. Default: NA

Validation State

UI: Validation State
Required: No

Policy Definable: No. Default: NA

For more information, see Certificates File validation states.

Validity Period

UI: Validity Period
Required: Yes

Policy Definable: No. Default: NA

The number of months between issuance and expiration dates of the certificate. When setting this attribute, the valid periods must be read from the assigned CA template object.

Verizon CA

UI: NA
Required: No

Policy Definable: No. Default: NA

Deprecated

Want Renewal

UI: Reuse Private Key
Required: No

Policy Definable: Yes. Default: NA

A value of 1 reuses the private key upon renewal.

X509 Extension Fields

UI: NA
Required: No

Policy Definable: No. Default: NA

The custom fields on the user certificate.

X509 D

UI: NA
Required: No

Policy Definable: No. Default: NA

The description on user certificate.

X509 DC

UI: NA
Required: No

Policy Definable: No. Default: NA

The DN qualifier on the user certificate.

X509 DNQ

UI: NA
Required: No

Policy Definable: No. Default: NA

The DN email address on the user certificate.

X509 E

UI: NA
Required: No

Policy Definable: No. Default: NA

The DN email address on the user certificate.

X509 Extension Fields

UI: NA
Required: No

Policy Definable: No. Default: NA

The additional certificate extension fields on the user certificate.

X509 GN

UI: NA
Required: No

Policy Definable: No. Default: NA

The given name on the user certificate.

X509 GQ

UI: NA
Required: No

Policy Definable: No. Default: NA

The generation qualifier on the user certificate.

X509 I

UI: NA
Required: No

Policy Definable: No. Default: NA

The initials on the user certificate.

X509 P

UI: NA
Required: No

Policy Definable: No. Default: NA

The pseudonym on the user certificate.

X509 PA

UI: NA
Required: No

Policy Definable: No. Default: NA

The postal address on the user certificate.

X509 PC

UI: NA
Required: No

Policy Definable: No. Default: NA

The postal code on the user certificate.

X509 SA

UI: NA
Required: No

Policy Definable: No. Default: NA

The street address on the user certificate.

X509 SN

UI: NA
Required: No

Policy Definable: No. Default: NA

The surname on the user certificate.

X509 SNO

UI: NA
Required: No

Policy Definable: No. Default: NA

The serial number on the user certificate.

 

 

X509 Subject

UI: Common Name
Required: No

Policy Definable: No. Default: NA

The common name (CN) that appears as part of the Subject DN of the certificate.

X509 SubjectAltName

UI: NA
Required: No

Policy Definable: No. Default: NA

One or more certificate names .to provide to the CA at the time of enrollment.

X509 SubjectAltName DNS

UI: Subject Alt Name (SAN)
Required: No

Policy Definable: No. Default: NA

One or more DNS Name Subject Alternative Name (SAN)s to provide to the CA at the time of enrollment. The maximum number allowed is specific to each CA.

When the value is missing, SANs can only be added to externally generated CSRs.

X509 SubjectAltName IPAddress

UI: NA
Required: No

Policy Definable: No. Default: NA

The IP Address to use as a SAN on the certificate.

X509 SubjectAltName OtherName UPN

UI: NA
Required: No

Policy Definable: No. Default: NA

NA

The UPN to use as a SAN on the certificate.

X509 SubjectAltName RFC822

UI: NA
Required: No

Policy Definable: No. Default: NA

The email address to use as a SAN on the certificate.

X509 SubjectAltName URI

UI: NA
Required: No

Policy Definable: No. Default: NA

The URI to use as a SAN on the certificate.

X509 T

UI: NA
Required: No

Policy Definable: No. Default: NA

The title on the user certificate.

X509 TN

UI: NA
Required: No

Policy Definable: No. Default: NA

The telephone number on the user certificate.

X509 UA

UI: NA
Required: No

Policy Definable: No. Default: NA

The unstructured address on the user certificate.

X509 UID

UI: NA
Required: No

Policy Definable: No. Default: NA

The user Id on the user certificate.

X509 UN

UI: NA
Required: No

Policy Definable: No. Default: NA

The unstructured name on the user certificate.

Xolphin CA:(fields)

UI: NA
Required: No

Policy Definable: No. Default: NA

Deprecated