certificate-record
This configuration element configures certificate records for TLS support.
Parameter
- name
- The name of this certificate record object.
- country
- Enter the country abbreviation. Length: 2 characters.
- Default: US
- Values: 2 characters
- state
- Enter the region abbreviation or name.
- Default: MA
- Values: 1-128 characters
- locality
- Enter the name of the organization holding the certificate.
- Default: Burlington
- Values: 1-128 characters
- organization
- Enter the name of the organization holding the certificate.
- Default: Engineering
- Values: 1-64 characters
- unit
- Enter the name of the unit for holding the certificate within the organization.
- Values: 1-64 characters
- common-name
- Enter the common name for the certificate record.
If secure-certificate-mode is enabled, do not set this to an IP address. The system considers a certificate-record invalid if it includes an IP address in the SAN or CN.
If you are using SAN/CN validation, either this parameter or common-name is required. For CN validation, this must be a domain name or an IP address.
- Values: 1-64 characters
- key-size
- Set the size of the key for the certificate.
- Default: 2048
- Values: 1024 | 2048 | 4096 (on systems with appropriate hardware)
- alternate-name
- The alternate name of the certificate holder which can be expressed as a DNS host, or email address. Configure this parameter using the following syntax to express each of these 3 forms.
Note:
If secure-certificate-mode is enabled, do not include an IP address. The system considers a certificate-record invalid if it includes an IP address in the SAN or CN.- IP:<IPv4 or IPv6 address>
- DNS:<hostname>
- URI:sip:<hostname or IP address>
- URI:sips:<hostname or IP address>
Note:
Do not add IP or domain indications to the URI:sip or URI:sips prefixes. Anything following these is assumed to be an IP or domain. For example, do not use URI:sip:IP:10.0.0.1. Instead, use URI:sip:10.0.0.1. Also, do not include additional user info, ports, or symbols. - email:<email address> (not supported for SAN/CN validation)
Note:
This field adheres to the standard ACLI character limit of 1024.ORACLE(certificate-record)# alternate-name IP:10.0.0.0,IP:10.0.0.1,DNS:example.com - trusted
- Enable or disable trust of this certificate
- Default: enabled
- Values: enabled | disabled
- key-usage-list
- Enter the usage extensions to use with this certificate record; can be
configured with multiple values.
- Default: digitalSignature and keyEncipherment
- Values: digitalSignature | nonRepudiation | keyEncipherment | dataEncipherment | keyAgreement | encipherOnly | decipherOnly
- extended-key-usage-list
- Enter the extended key usage extensions you want to use with this certificate
record.
- Default: serverAuth
- Values: serverAuth | clientAuth
Note:
When you enable a tls-profile for mutual-authentication, you must also configure the extended-key-usage-list parameter within the associated end-entity-certificate to both the serverAuth and clientAuth values. - key-algor
- Set a key algorithm.
- Values: rsa | rsapss | ecdsa
- digest-algor
- Set a digest algorithm.
- Values: sha1 | sha256 | sha384
Note:
When the FIPS entitlement is enabled, you cannot select sha1. - ecdsa-key-size
- When key-algor is set to
ECDSA, set the ECDSA key size.
- Values: p256 | p384
- cert-status-profile-list
- Enter a list of configured cert-status-profile names.
- cmp-profile
- Specifies the cmp-profile that applies to this
certificate-record. If the system confirms the profile exists, the system
uses CMP to manage this certificate automatically. If this parameter is
empty, you must manage the certificate manually.
Note:
This is applicable to end-entity certificates only, not CA certificates.
Path
certificate-record is an element under the security path. The full path from the topmost prompt is: .