For each PKI certificate, you can view and edit the settings in the following sections:
|Keysize in Bits||Specifies the key size in bits. Normally the value ranges from 512 to 4096 bits (default: 1024). The key size must be at least 1024 bits for end-user certificates. When the lifetime of the CA is 10 years or longer, the key size must be at least 2048 bits (Recommended: 4096).|
|Duration of Validity||In days, specifies how long the certificate remains valid (default: 5000). For example, enter 5475 days for a root certificate that will remain valid for 15 years (365 * 15).|
|Key Algorithm||Specifies the algorithm used for key creation|
|Key Encryption||Specifies the algorithm used for key encryption|
|Message Digest Algorithm||Specifies the hash algorithm|
|Password||Defines the certificate password.|
|Validate Password||Validates the certificate password.|
|Common Name||Specifies the name of the certificate. (Do not use special characters and underscores in the common name!)|
|Email Address||Specifies the email address of the certificate owner|
|Country State or Province / Locality / Organisation / Organisation Unit||Specifies the address of the organization.|
For more information on V3 extensions, see RFC 3280 at.
Defines whether the certificate is a CA (CA:true) or not (CA:false - default).
The CA boolean indicates whether the certified public key belongs to a CA.
If the CA boolean is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted.
Specifies the purpose of the key contained in the certificate. This extension is useful when the key can be used for more than one operation.
Indicates one or more purposes for which the certified public key may be used, in addition to purpose specifies by the keyUsage extension. In general, this extension is only used in end entity certificates.
Hash of the subject. This extension provides a means of identifying certificates that contain a particular public key.
|authorityKeyIdentifier||Specifies the public key that is used to verify the signature on this certificate or CRL.|
Indicates how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include online validation services and CA policy data. (The location of CRLs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension may be included in end entity or CA certificates, and it MUST be non-critical.
A string. For example:
Specifies additional identities that are bound to the subject of the certificate. You can specify an email address, a DNS name, an IP address, a uniform resource identifier (URI), MS Domain GUID, or MS Domain User.
|issuerAltName||Associates Internet-style identities with the certificate issuer.|
|Specifies the distribution points for the Certificate Revocation List (CRL).|
This lists the distribution points for CRLs.
|DomainController||Specifies a Microsoft-specific extension for entering DomainControllers.|
This is a Microsoft specific extension needed for smartcard login.
|nsCert Type||Specifies a Netscape certificate type.|
|nsComment||Enables you to enter comments.||Just an extension to provide a possibility for a comment. This is an old Netscape extension.|