Certificate Properties
This section lists the properties that describe system certificates, trusted certificates, and certificate signing requests (CSRs). These property values are read-only unless you are creating a CSR. These properties are optional and read-only unless specified. The property value format is a text string unless specified.
The following properties specify information about a certificate:
comment
-
Specifies an optional comment.
dns
-
Specifies a list of DNS names for which this certificate is issued. By default, this property value specifies the DNS names for this system's IP addresses. This value enables the client to verify that you have reached the intended system. This value is read-only except when creating a CSR.
dirname
-
Specifies a list of LDAP/X.500-style distinguished names for which the certificate is issued. This value is read-only except when creating a CSR.
ip
-
Specifies a list of IP addresses for which this certificate is issued. By default, this property specifies the system's IP addresses. This value enables the client to verify that you have reached the intended system. This value is read-only except when creating a CSR.
notafter
-
Specifies a time after which the certificate cannot be used. The timestamp is formatted as:
YYYY-[M]M-[D]D HH:mm[:ss]
Note that this value is always read-only and cannot be specified as part of a CSR.
notbefore
-
Specifies a time before which the certificate cannot be used. The timestamp is formatted as:
YYYY-[M]M-[D]D HH:mm[:ss]
Note that this value is always read-only and cannot be specified as part of a CSR.
serialnumber
-
Specifies the serial number of the certificate. Note that this value is always read-only and is present only in a certificate, not in a CSR.
sha1fingerprint
-
Specifies the SHA1 fingerprint of the certificate. This fingerprint value is automatically generated. The format is a list of hexadecimal pairs that are separated by colons. Note that this value is always read-only and is present only in a certificate, not in a CSR.
sha256fingerprint
-
Specifies the SHA256 fingerprint of the certificate. This fingerprint value is automatically generated. The format is a list of hexadecimal pairs that are separated by colons. Note that this value is always read-only and is present only in a certificate, not in a CSR.
type
-
Specifies the type of this entry. This value is read-only and automatically generated. Valid values are:
cert
specifies that the entry is a certificateCA
specifies that the entry is a CA-certificaterequest
specifies that the entry is a CSRkey
specifies that the entry is a key
uri
-
Specifies a list of universal resource identifiers (URIs) for which this certificate is issued. There is no default value. This value enables the client to verify that you have reached the intended system. This value is read-only except when creating a CSR.
uuid
-
Specifies the universally unique identifier (UUID) for this entry. This value is read-only and automatically generated.
The following read-only property values provide information about the certificate issuer and are under the control of the certificate authority (CA). You can use the following information to find the certificate.
issuer_commonname
- Specifies the certificate issuer's common name.issuer_countryname
- Specifies the country name.issuer_emailaddress
- Specifies the email address.issuer_localityname
- Specifies the locality name, such as a city or town.issuer_organizationalunitname
- Specifies the organizational unit name.issuer_organizationname
- Specifies the organization name.issuer_stateorprovincename
- Specifies the state or province name.
The following property values provide information about the certificate subject. You can use the following information to find the subject's certificate.
When you create a CSR to obtain a host certificate, you supply the following information about the host.
subject_commonname
- Specifies the certificate subject's common name. By convention, this value is the system's canonical DNS name. When you create a CSR, you must specify this property value for the host certificate.subject_countryname
- Specifies the country name.subject_emailaddress
- Specifies the email address.subject_localityname
- Specifies the locality name, such as a city or town.subject_organizationalunitname
- Specifies the organizational unit name.subject_organizationname
- Specifies the organization name.subject_stateorprovincename
- Specifies the state or province name.
The following properties control the creation of encryption keys for CSRs and for the certificates that are generated from them:
key_type
- Specifies the encryption type. You must specify one of the following property values:
RSA
(for Rivest-Shamir-Adleman) is the default valueEC
(for Elliptic Curve)
key_bits
- Specifies a key size. This value depends on the value of
key_type
.- When
key_type=RSA
:- Reports a key size.
- When creating a CSR, requests a key size, which is an even number from 2048 to 4096. The default value is 2048.
- When
key_type=EC
: Reports the key size for an EC certificate, CSR, or key.
- When
key_curve
- Specifies a list of EC curve values. Note that this list is subject to change over time.
Requests or reports a particular curve. The default value is
prime256v1
(P-256). This value is used only whenkey_type=EC
.