Certificate Properties

This section lists the properties that describe system certificates, trusted certificates, and certificate signing requests (CSRs). These property values are read-only unless you are creating a CSR. These properties are optional and read-only unless specified. The property value format is a text string unless specified.

The following properties specify information about a certificate:

comment

Specifies an optional comment.

dns

Specifies a list of DNS names for which this certificate is issued. By default, this property value specifies the DNS names for this system's IP addresses. This value enables the client to verify that you have reached the intended system. This value is read-only except when creating a CSR.

dirname

Specifies a list of LDAP/X.500-style distinguished names for which the certificate is issued. This value is read-only except when creating a CSR.

ip

Specifies a list of IP addresses for which this certificate is issued. By default, this property specifies the system's IP addresses. This value enables the client to verify that you have reached the intended system. This value is read-only except when creating a CSR.

notafter

Specifies a time after which the certificate cannot be used. The timestamp is formatted as:

YYYY-[M]M-[D]D HH:mm[:ss]

Note that this value is always read-only and cannot be specified as part of a CSR.

notbefore

Specifies a time before which the certificate cannot be used. The timestamp is formatted as:

YYYY-[M]M-[D]D HH:mm[:ss]

Note that this value is always read-only and cannot be specified as part of a CSR.

serialnumber

Specifies the serial number of the certificate. Note that this value is always read-only and is present only in a certificate, not in a CSR.

sha1fingerprint

Specifies the SHA1 fingerprint of the certificate. This fingerprint value is automatically generated. The format is a list of hexadecimal pairs that are separated by colons. Note that this value is always read-only and is present only in a certificate, not in a CSR.

sha256fingerprint

Specifies the SHA256 fingerprint of the certificate. This fingerprint value is automatically generated. The format is a list of hexadecimal pairs that are separated by colons. Note that this value is always read-only and is present only in a certificate, not in a CSR.

type

Specifies the type of this entry. This value is read-only and automatically generated. Valid values are:

  • cert specifies that the entry is a certificate
  • CA specifies that the entry is a CA-certificate
  • request specifies that the entry is a CSR
  • key specifies that the entry is a key
uri

Specifies a list of universal resource identifiers (URIs) for which this certificate is issued. There is no default value. This value enables the client to verify that you have reached the intended system. This value is read-only except when creating a CSR.

uuid

Specifies the universally unique identifier (UUID) for this entry. This value is read-only and automatically generated.

The following read-only property values provide information about the certificate issuer and are under the control of the certificate authority (CA). You can use the following information to find the certificate.

  • issuer_commonname - Specifies the certificate issuer's common name.
  • issuer_countryname - Specifies the country name.
  • issuer_emailaddress - Specifies the email address.
  • issuer_localityname - Specifies the locality name, such as a city or town.
  • issuer_organizationalunitname - Specifies the organizational unit name.
  • issuer_organizationname - Specifies the organization name.
  • issuer_stateorprovincename - Specifies the state or province name.

The following property values provide information about the certificate subject. You can use the following information to find the subject's certificate.

When you create a CSR to obtain a host certificate, you supply the following information about the host.

  • subject_commonname - Specifies the certificate subject's common name. By convention, this value is the system's canonical DNS name. When you create a CSR, you must specify this property value for the host certificate.
  • subject_countryname - Specifies the country name.
  • subject_emailaddress - Specifies the email address.
  • subject_localityname - Specifies the locality name, such as a city or town.
  • subject_organizationalunitname - Specifies the organizational unit name.
  • subject_organizationname - Specifies the organization name.
  • subject_stateorprovincename - Specifies the state or province name.

The following properties control the creation of encryption keys for CSRs and for the certificates that are generated from them:

key_type
Specifies the encryption type. You must specify one of the following property values:
  • RSA (for Rivest-Shamir-Adleman) is the default value
  • EC (for Elliptic Curve)
key_bits
Specifies a key size. This value depends on the value of key_type.
  • When key_type=RSA:
    • Reports a key size.
    • When creating a CSR, requests a key size, which is an even number from 2048 to 4096. The default value is 2048.
  • When key_type=EC: Reports the key size for an EC certificate, CSR, or key.
key_curve
Specifies a list of EC curve values. Note that this list is subject to change over time. Requests or reports a particular curve. The default value is prime256v1 (P-256). This value is used only when key_type=EC.