Parent class—X509 Certificate Base

Contains X.509 fields and attributes that describe a certificate.

Class Name: X509 Certificate Base
Inheritance: Parent class—Driver Base and Parent class—Monitoring Base

X509 Certificate Base attributes
Attribute	Description
Adaptable CA specific attributes	Policy Definable: NA. Default: NA
Adaptable Workflow Approvers UI: Specified Approvers Required: Yes	Policy Definable: No. Default: NA One or more identities that can approve the workflow.
Adaptable Workflow Reference ID UI: NA Required: No	Policy Definable: No. Default: NA For internal use.
Adaptable Workflow Stage UI: If Stage is Required: Yes	Policy Definable: No. Default: NA Applies the workflow actions at the designated stage of the object lifecycle.
Address UI: Address Required: No	Policy Definable: Yes. Default: NA The street address that appears as part of the Subject DN of the certificate.
Allow Private Key Reuse UI: Reuse Private Keys for Service Generated CSRs Required: No	Policy Definable: Yes. Default: 0 While renewing a X509 certificate, manage the private key: 0 = Generate a new private key. 1 = Reuse the old private key.
Amazon CA specific attributes	Policy Definable: No. Default: NA
Approved Issuer UI: NA Required: No	Policy Definable: Yes. Default: NA A list of DNs that show which CAs are allowed to issue certificates.
Approver UI: Approver(s) Required: No	Policy Definable: Yes. Default: NA One or more user or group identities who are authorized to approve a workflow related to the object. Values are prefixed universals with one of the following formats: local:<universal identifier> AD+<friendly name>:<universal identifier> LDAP+<friendly name>:<universal identifier>
Certificate Authority UI: CA Template Required: No	Policy Definable: Yes. Default: NA The DN of the Certificate Authority (CA) template object to enroll the next version of the certificate.
Certificate Download: PBES2 Algorithm UI: Private Key PBE (password-based encryption) Algorithm Required: No	Policy Definable: Yes. Default: NA The download format of the private key. One of the following Password-Based Cryptography Specification Version 2.0 (PBES2) values: MD5/DES = Insecure, maximum compatibility. SHA1/3DES = Insecure, less compatibility. SHA256/AES256 = most secure, least compatibility.
Certificate Process Validator UI: NA Required: No	Policy Definable: No. Default: NA The driver name that performs additional CSR actions before and after certificate enrollment.
Certificate Vault Id UI: NA Required: Yes	Policy Definable: No. Default: NA A number that uniquely identifies the current version of the certificate that is in the vault.
City UI: City Required: No	Policy Definable: Yes. Default: NA The city name that appears as part of the Subject DN of the certificate. This field is also known as the locale.
Sectigo Certificate Manager CA specific attributes	Policy Definable: NA. Default: NA Formerly Commodo
Consumers UI: Associations Required: No	Policy Definable: No. Default: NA The DN of the Application object that is associated with the certificate. If the certificate has multiple Application objects, more than one value is present. When updating the value, be sure to change the Certificate attribute of the associated Application object.
Country UI: Country Required: No	Policy Definable: Yes. Default: NA The two character country code that appears as part of the Subject DN of the certificate. For a list of valid country codes see Country codes.
Created By UI: Created By Required: No	Policy Definable: No. Default: NA The process or application that added the Certificate object to Trust Protection Platform. The certificate originated from: Agent Discovery = Another device as reported by an agent. Network Discovery = Placement engine. Network Discovery (Manual Placement) = Manual discovery. For example, a person ran an instant Discovery and manages the certificate in the UI. Onboard Discovery = An Onboard Discovery.
CSR Thumbprint UI: NA Required: No	Policy Definable: No. Default: NA Confirms that the CSR was successfully created.
CSR Vault Id UI: NA Required: No	Policy Definable: No. Default: NA A number that uniquely identifies the CSR in the vault that Trust Protection Platform used (or will use) to enroll the certificate.
DigiCert CA specific attributes	Policy Definable: NA. Default: NA
Disable Automatic Renewal UI: Disable Automatic Renewal Required: No	Policy Definable: Yes. Default: 0 Applies when the Management Type is Enrollment or Provisioning. The means for renewing a certificate: 0 = Automatically begin certificate lifecycle processing when the certificate reaches its Renewal Window. 1 = Bypass the certificate lifecycle when the certificate reaches its Renewal Window.
Disable Password Complexity UI: Disable Password Complexity Required: No	Policy Definable: Yes. Default: 0 Password complexity for private key downloads. For an example of complexity requirements, see Extracting and downloading PEM contents into separate files. 0 = Enable password complexity for all downloads. 1 = Disable password complexity for downloads.
Discovered BY DN UI: NA Required: No	Policy Definable: No. Default: NA The Distinguished Name (DN) of the device that ran discovery.
Discovered On UI: NA Required: No	Policy Definable: No. Default: NA For internal discovery placement use only. A string that maps to a unique instance and describes where the certificate was discovered.
Domain Suffix Whitelist UI: Allowed Domains Required: No	Policy Definable: Yes. Default: NA The allowed list of domain suffixes that are acceptable in new certificate requests. For example, mydomain.com sales.usa.com.
Elliptic Curve UI: NA Required: No	Policy Definable: Yes. Default: NA The National Institute of Standards and Technology (NIST) curve algorithm. For example, 256P.
Encryption Driver UI: Key Generation Required: No	Policy Definable: Yes. Default: Software The key name that Trust Protection Platform will use when generating encryption keys for certificates. Software is currently the only value allowed.
Enforce Unique Subject UI: Allow duplicate Common and Subject Alternate Names Required: No	Policy Definable: Yes. Default: 0 Determines whether the certificate can use the Common Name (CN) as the SAN Domain Name Server (DNS) name. For new or renewed certificates: 0 = Allow CN and SAN DNS names to be the same. 1 = Require CN and SAN DNS names to be different.
Entrust PKI Gateway:Early Private Key Vault ID UI: NA Required: No	Policy Definable: No. Default: NA Internal
Entrust PKI Gateway:Early X509 Vault ID UI: NA Required: No	Policy Definable: No. Default: NA Internal
EntrustNET and ESM CA specific attributes	Policy Definable: NA. Default: NA
Escalation Notice Interval UI: Send event every (days) Required: No	Policy Definable: Yes. Default: 1 The number of elapsed days between sending escalated expiration events for the certificate.
Escalation Notice Start UI: Start escalating events (days) Required: No	Policy Definable: Yes. Default: 15 The number of days, prior to the expiration date of a certificate, to begin logging escalated expiration events.
EST ReEnrollment In Progress UI: NA Required: No	Policy Definable: No. Default: NA The status of a certificate re-enrollment that occurred via an Enrollment over Secure Transport (EST).
Expiration Notice Interval UI: Send event every (days) Required: No	Policy Definable: Yes. Default: 1 The number of days that elapse between sending expiration events for the certificate.
Expiration Notice Start UI: Start generating events (days) Required: No	Policy Definable: Yes. Default: 30 The number of days, prior to the expiration date of a certificate, to begin logging expiration events.
Fields UI: Custom Fields Required: No	Policy Definable: Yes. Default: NA An identifier-value pair for a custom field.
Generate Keypair on Application UI: Generate Key/CSR on Application Required: No	Policy Definable: Yes. Default: 0 The location where the CSR and the private key generate: 0 = On the application server. Archive both in the Trust Protection Platform database. 1 = On the remote host. Archive both in the Trust Protection Platform database. Works when: The driver supports remote generation. The certificate is not self-signed. It can only be associated with one Application object. The Management Type is Provisioning.
GeoTrust CA: UI: (All fields) Required: No	Policy Definable: No. Default: NA Deprecated.
Given Name UI: NA Required: No	Policy Definable: No. Default: NA The certificate approver's first name.
GlobalSign CA specific attributes	Policy Definable: NA. Default: NA
Grouping Id UI: Group Id Required: No	Policy Definable: Yes. Default: No The identifier that groups related log events together.
In Error UI: NA Required: No	Policy Definable: No. Default: 0 Set internally by Trust Protection Platform: 0 = No errors. 1 = Error. A management operation failed and no further processing for this certificate will occur.
In Process UI: NA Required: No	Policy Definable: No. Default: NA The process state of the CSR.
Internet Email Address UI: Email Required: No	Policy Definable: No. Default: NA The email address that appears as part of the Subject DN of the certificate.
Issued to UI: NA Required: No	Policy Definable: No. Default: NA The name or company who received the certificate.
Key Algorithm UI: Hash Algorithm Required: No	Policy Definable: Yes. Default: NA For the CSR, choose SHA-256, SHA-384, or SHA-512.
Key Bit Strength UI: Key Strength (Bits) Required: No	Policy Definable: Yes. Default: NA The bit length of the key to be generated for the next version of the certificate. Valid values are: 512, 1024, 2048, and 4096.
Key Storage Location UI: NA Required: Yes	Policy Definable: No. Default: NA The HSM connector name in CodeSign Protect.
Keynectis Sequoia CA:Fields UI: NA Required: No	Policy Definable: No. Default: NA Deprecated
Last Evaluated On UI: Last Check Required: No	Policy Definable: No. Default: NA The date and time of the most recent SSL/TLS certificate validation.
Last Notification UI: NA Required: No	Policy Definable: No. Default: NA The date and time of the most recent Trust Protection Platform notification for this certificate.
Last Renewed By UI: NA Required: No	Policy Definable: No. Default: NA The Trust Protection Platform identity who made the most recent certificate change.
Last Renewed On UI: NA Required: No	Policy Definable: No. Default: NA The date and time of the most recent certificate renewal.
Last Validation State Update UI: NA Required: No	Policy Definable: No. Default: NA The date and time of the most recent certificate change.
License Count UI: NA Required: Yes	Policy Definable: No. Default: NA The number of servers that can host the certificate. If a CA requires a license for each installed instance, this value must match the number of instances. Applies to Comodo, Entrust Certificate Services CAs.
Management Type Management Type No UI: NA Required: No	Policy Definable: Yes. Default: Monitoring The management type of the certificate. Valid values are: Monitoring, Enrollment, and Provisioning.
Manual Approval UI: Manual Approval Required: No	Policy Definable: Yes. Default: 0 The setting to manage approvals for issuing new or renewed certificates: 0= Automatic approval. 1 = Manual approval by a person is required.
Manual Csr UI: CSR Generation Required: No	Policy Definable: Yes. Default: 0 The setting to manage Certificate Signing Request (CSR)s: 0 = Allow a Service Generated CSR. Use this setting when a certificate is associated with multiple applications. Allows the system to push the private key to multiple applications. 1 = Require a user to provide a CSR.
Microsoft CA specific attributes	Policy Definable: NA. Default: NA
Network Validation Disabled UI: Disable Network Validation Required: No	Policy Definable: Yes. Default: 0 The setting for network validation: 0 = Validate by making an SSL/TLS connection to the managed device. 1 = Disable network validation.
OpenTrust Enterprise PKI CA specific attributes	Policy Definable: NA. Default: NA
Options UI: NA Required: No	Policy Definable: Yes. Default: NA The source of the CSR on this certificate: CSR Needed = Issue a new CSR. Last CSR Was Service Generated = Use the previous.
Organization UI: Organization Required: No	Policy Definable: Yes. Default: NA The Organization (O) name that appears as part of the Subject DN of the certificate.
Organizational Unit UI: Organizational Unit Required: No	Policy Definable: Yes. Default: NA The Organizational Unit (OU) name that appears as part of the Subject DN of the certificate.
Origin UI: NA Required: No	Policy Definable: No. Default: NA The friendly name of the system requesting the certificate.
PKCS10 Hash Algorithm UI: PKCS10 Hash Algorithm Required: No	Policy Definable: Yes. Default: NA The algorithm used to sign and create the CSR. The certificate algorithm is finalized by the CA when it signs the CSR: Sha1, Sha256, Sha384, or Sha512.
Postal Code UI: Postal Code Required: Yes	Policy Definable: Yes. Default: NA The postal or zip code of the certificate.
Private Key Vault Id UI: NA Required: No*	Policy Definable: No. Default: NA A number that uniquely identifies the private key stored in the vault and corresponds to the current version of the certificate. Required when the certificate provisioning mode is: agent: Use an agent to provision. agentless: Generate Keypair on Application' is null or zero.
Prohibit Wildcard UI: Prohibit Wildcard Required: No	Policy Definable: Yes. Default: 0 The setting to control the use of the asterisk (*) for wild cards on a CN: 0 = Allow wild cards to renew, enroll, or upload a X509 certificate object. 1 = Prohibit wildcard certificates to renew, enroll, or upload a X509 certificate object.
Prohibited Subject Attributes UI: Prohibited Subject Attributes Required: Yes	Policy Definable: Yes. Default: NA The set of prohibited certificate Subject attributes.
Protection Key UI: NA Required: Yes	Policy Definable: No. Default: Software The key name to secure the private key in Secret Store.
Public Key Vault Id UI: NA Required: No	Policy Definable: No. Default: NA The Vault ID of the public key.
Renewal Window UI: Renewal Window Required: No	Policy Definable: Yes. Default: 30 The number of days, prior certificate expiration, when automatic renewal should begin. This attribute is ignored when Disable Automatic Renewal is 1.
Reverse DC Order UI: NA Required: No	Policy Definable: Yes. Default: NA Sets the order of the domain component (DC) association for the Secret Store.
Revocation Check Disabled UI: Revocation Check Disabled Required: No	Policy Definable: Yes. Default: NA Monitor for revoked certificates: No = Monitor for revoked certificates: Yes = Disable monitoring for revoked certificates.
Revocation Check In Error UI: Revocation Check In Error Required: No	Policy Definable: Yes. Default: 0 Set internally by Trust Protection Platform 0 = No errors. 1 = Error. A revocation checking operation failed for this certificate.
Revocation Check Last Checked UI: Revocation Check Last Checked Required: No	Policy Definable: Yes. Default: NA The date at time of Trust Protection Platform verified that this certificate is active and not revoked.
Revocation Check Now UI: Revocation Check Now Required: No	Policy Definable: Yes. Default: 0 Deprecated.
Revocation Check Status UI: Revocation Check Status Required: No	Policy Definable: Yes. Default: NA The status of a revoked certificate: None = No status has been set. Failed = Revocation failed. Pending = Revocation is pending. Complete = Revocation is complete. Confirmed = Revoked by CA and confirmed on certificate revocation lists or an Online Certificate Status Protocol (OCSP) reply.
Revocation Original Request UI: Revocation Original Request Required: No	Policy Definable: Yes. Default: NA The ability to show the certificate revocation request.
Revocation Request UI: NA Required: No	Policy Definable: No. Default: NA The Vault ID of the certificate that Trust Protection Platform should revoke as soon as the engine is able to do so. Also includes the Revocation Reason and Comments to send to the CA at the time of revocation. Syntax: <Vault ID>\|<Revocation Reason>\|<Comment> Example: 12345\|Superceded\|Replaced by new cert
Scep Transaction Id UI: NA Required: Yes	Policy Definable: No. Default: NA The Simple Certificate Enrollment Protocol (SCEP) for a mobile device certificate.
Server Type UI: Server Type Required: Yes	Policy Definable: Yes. Default: NA The CA specific attribute for renewal or enrollment. A predefined server type.
Signing Request Subject UI: NA Required: No	Policy Definable: No. Default: NA Set internally by Trust Protection Platform. Used internally to store the Subject DN of the last CSR that was used to enroll with the CA.
Specific End Date UI: Expiration Required: No	Policy Definable: No. Default: NA The certificate validity period.
Stage UI: NA Required: No	Policy Definable: No. Default: NA Set internally by Trust Protection Platform. The current lifecycle process stage of the certificate.
State UI: State/Province Required: No	Policy Definable: Yes. Default: NA The state (ST) name that appears as part of the Subject DN of the certificate.
Status UI: NA Required: No	Policy Definable: No. Default: NA Set internally by Trust Protection Platform. The current status of processing for the application. Values may include an error message, an indication that processing has stopped pending workflow approval, or some other status. The absence of this attribute indicates an OK status.
SID Extension:Value UI: AD Security Identifier source - Look up SID from AD Identity - Enter SID manually Required: No	Policy Definable: Yes. Default: NA Contains SID (AD Security Identifier) value or AD identity (prefixed universal) to resolve the SID value from. This attribute is used for service-generated CSRs.
SID Extension:Effective Value UI: NA Required: No	Policy Definable: Yes. Default: NA Is set when certificate issuance is in progress and contains effective SID (AD Security Identifier) value. Format is: `“value;identity”`. Identity format is prefixed universal. Attribute is read-only and is overwritten by Certificate Manager on every issuance and renewal.
Surname UI: Last Name Required: No	Policy Definable: Yes. Default: NA The last name of a person that is collected by the CA at the time of enrollment.
Symantec LHK CA UI: NA Required: No	Policy Definable: No. Default: NA Deprecated as of 21.3. However the database column may still be present. in the database.
Symantec MPKI CA specific attributes	Policy Definable: No. Default: NA Deprecated as of 21.3. However the database column may still be present. in the database.
Telephone UI: Telephone Required: No	Policy Definable: Yes. Default: NA The contact's telephone number for this certificate.
Thawte CA UI: NA Required: No	Policy Definable: No. Default: NA Deprecated
Transaction Id UI: NA Required: No	Policy Definable: No. Default: NA Set internally by Trust Protection Platform. The identifier that the CA issued during the last CSR.
Trusted Status UI: NA Required: No	Policy Definable: No. Default: NA The status of the certificate trust bundle.
VikingCloud CA specific attributes	Policy Definable: NA. Default: NA
Validation State UI: Validation State Required: No	Policy Definable: No. Default: NA For more information, see Certificates File validation states.
Validity Period UI: Validity Period Required: Yes	Policy Definable: No. Default: NA The number of months between issuance and expiration dates of the certificate. When setting this attribute, the valid periods must be read from the assigned CA template object.
Verizon CA UI: NA Required: No	Policy Definable: No. Default: NA Deprecated
Want Renewal UI: Reuse Private Key Required: No	Policy Definable: Yes. Default: NA A value of 1 reuses the private key upon renewal.
Work To Do UI: Work to Do Required: No	Policy Definable: No. Default: NA A value of 1 performs lifecycle processing as soon as a TLS Protect is able to do so. Trust Protection Platform automatically deletes this attribute upon completion.
X509 Extension Fields UI: NA Required: No	Policy Definable: No. Default: NA The custom fields on the user certificate.
X509 D UI: NA Required: No	Policy Definable: No. Default: NA The description on user certificate.
X509 DC UI: NA Required: No	Policy Definable: No. Default: NA The DN qualifier on the user certificate.
X509 DNQ UI: NA Required: No	Policy Definable: No. Default: NA The DN email address on the user certificate.
X509 E UI: NA Required: No	Policy Definable: No. Default: NA The DN email address on the user certificate.
X509 Extension Fields UI: NA Required: No	Policy Definable: No. Default: NA The additional certificate extension fields on the user certificate.
X509 GN UI: NA Required: No	Policy Definable: No. Default: NA The given name on the user certificate.
X509 GQ UI: NA Required: No	Policy Definable: No. Default: NA The generation qualifier on the user certificate.
X509 I UI: NA Required: No	Policy Definable: No. Default: NA The initials on the user certificate.
X509 P UI: NA Required: No	Policy Definable: No. Default: NA The pseudonym on the user certificate.
X509 PA UI: NA Required: No	Policy Definable: No. Default: NA The postal address on the user certificate.
X509 PC UI: NA Required: No	Policy Definable: No. Default: NA The postal code on the user certificate.
X509 SA UI: NA Required: No	Policy Definable: No. Default: NA The street address on the user certificate.
X509 SN UI: NA Required: No	Policy Definable: No. Default: NA The surname on the user certificate.
X509 SNO UI: NA Required: No	Policy Definable: No. Default: NA The serial number on the user certificate.

X509 Subject UI: Common Name Required: No	Policy Definable: No. Default: NA The common name (CN) that appears as part of the Subject DN of the certificate.
X509 SubjectAltName UI: NA Required: No	Policy Definable: No. Default: NA One or more certificate names .to provide to the CA at the time of enrollment.
X509 SubjectAltName DNS UI: Subject Alt Name (SAN) Required: No	Policy Definable: No. Default: NA One or more DNS Name Subject Alternative Name (SAN)s to provide to the CA at the time of enrollment. The maximum number allowed is specific to each CA. When the value is missing, SANs can only be added to externally generated CSRs.
X509 SubjectAltName IPAddress UI: NA Required: No	Policy Definable: No. Default: NA The IP Address to use as a SAN on the certificate.
X509 SubjectAltName OtherName UPN UI: NA Required: No	Policy Definable: No. Default: NA NA The UPN to use as a SAN on the certificate.
X509 SubjectAltName RFC822 UI: NA Required: No	Policy Definable: No. Default: NA The email address to use as a SAN on the certificate.
X509 SubjectAltName URI UI: NA Required: No	Policy Definable: No. Default: NA The URI to use as a SAN on the certificate.
X509 T UI: NA Required: No	Policy Definable: No. Default: NA The title on the user certificate.
X509 TN UI: NA Required: No	Policy Definable: No. Default: NA The telephone number on the user certificate.
X509 UA UI: NA Required: No	Policy Definable: No. Default: NA The unstructured address on the user certificate.
X509 UID UI: NA Required: No	Policy Definable: No. Default: NA The user Id on the user certificate.
X509 UN UI: NA Required: No	Policy Definable: No. Default: NA The unstructured name on the user certificate.
Xolphin CA:(fields) UI: NA Required: No	Policy Definable: No. Default: NA Deprecated