The type of Certificate Authority
Value
managed
|
If true, this Certificate Authority can emit certificates
|
enforceKeyUnicity
boolean
required
If true, each enrollment request must have a unique key
|
The name of the Certificate Authority
|
trustedForClientAuthentication
boolean
required
If true, certificates emitted by this Certificate Authority can be used for client authentication on Stream
|
trustedForServerAuthentication
boolean
required
If true, certificates emitted by this Certificate Authority can be used for server authentication by Stream
|
certificate
object (Certificate)
|
The certificate's distinguished name
|
dnElements
array of object (DN Element)
required
The distinguished name, with each element being an object
|
Array [
Enum
CN
UID
SERIALNUMBER
SURNAME
GIVENNAME
unstructuredAddress
unstructuredName
E
OU
organizationIdentifier
UniqueIdentifier
STREET
ST
L
O
C
DC
|
|
|
]
|
The DN of this certificate's issuer
|
This certificate's serial number
|
notBefore
integer
required
This certificate's start of validity
|
notAfter
integer
required
This certificate's end of validity
|
This certificate's keytype
|
signingAlgorithm
string
required
Ths certificate's signing algorithm
|
|
|
subjectKeyIdentifier
string
The subject key identifier of this certificate
|
sans
array of objects (SAN Element)
List of this certificate's SANs
|
Array [
Enum
RFC822NAME
DNSNAME
URI
IPADDRESS
OTHERNAME_UPN
OTHERNAME_GUID
REGISTERED_ID
|
|
|
]
|
This certificate's CRL Distribution Points
|
This certificate's Authority Information Access
|
List of URIs on which the Certificate Authority certificate can be found
|
ocsp
array of string | null
List of URIs on which the OCSP Responder of the Certificate Authority can be accessed
|
|
|
This Certificate Authority's Distinguished Name
|
The queue to apply on this Certificate Authority's operations
|
crldps
array of string | null
The urls of this Certificate Authority's CRL Distribution Points
|
aia
object | null (Authority Information Access)
AIAs to add to the certificate
|
certificate
array of string | null
List of URIs on which the Certificate Authority certificate can be found
|
ocsp
array of string | null
List of URIs on which the OCSP Responder of the Certificate Authority can be accessed
|
|
policy
array of objects | null (Certificate Policy)
This Certificate Authority's Certificate Policies
|
Array [
Object Identifier of the Policy
|
URI to a Certification Practice Statement document
|
organization
string | null
Organization of the user notice. Introduced in 2.0.12
|
noticeNumbers
array of integer | null
Notice numbers of the policy. Introduced in 2.0.12
|
explicitText
string | null
The text of the user notice. Introduced in 2.0.12
|
]
|
qcStatement
object | null (Qualified Certificate Statements)
The Qualified Certificate Statements to add to the emitted certificates
|
eTSIQCCompliance
boolean
required
If true, the certificate is a Qualified Certificate
|
eTSIQCSSCD
boolean
required
If true, the private key of the certificate resides in a Secure Signature Creation Device
|
eTSIRetentionPeriod
integer
required
This indicates the duration of the retention period of material information in years
|
eTSIQCType
object
required
This indicates which type of document can be signed by the certificate. One of eseal, esign, web or none
|
The PKI Disclosure Statements URI for a specified language
|
|
|
eTSITransactionLimit
object | null (Transaction Limit Statement)
This indicates the limits of the transactions the certificate is qualified for. The maximum amount is calculated by: valueLimit * 10^(valueLimitExp)
|
valueLimit
integer
required
The maximum amount this certificate is qualified for simplified to the lowest power of 10
|
valueLimitExp
integer
required
The exponent of the power of 10 to multiply with valueLimit to get the maximum amount
|
currencyCode
string
required
The ISO-4217 currency code for this limit
|
|
eTSILegislation
array of string | null
The alpha-2 ISO-3166 country codes where the certificate is qualified
|
|
overridePermissions
object | null (Override Permissions)
This indicates which properties can be overriden in the enrollment request
|
If true, the Key Usages can be redefined in the enrollment request
|
If true, the Extended Key Usages can be redefined in the enrollment request
|
emptyExtensions
boolean | null
If true, the Empty Extensions can be redefined in the enrollment request
|
If true, the CRL Distribution Points can be redefined in the enrollment request
|
If true, the Authority Information Access can be redefined in the enrollment request
|
If true, the Certificate Policy can be redefined in the enrollment request
|
If true, the length of the certification path can be redefined in the enrollment request
|
If true, the certificate's lifetime can be redefined in the enrollment request
|
If true, the certificate's backdate can be redefined in the enrollment request
|
If true, the need to check the proof of possession can be redefined in the enrollment request
|
|
crlPolicy
object | null (CRL Generation Policy)
Define how to generate the CRL fot his Certificate Authority
|
The duration of the CRL's validity
|
If true, the CRL will be EIDAS compliant
|
hardGeneration
string | null
The CRL will be generated at each period
|
lazyGeneration
string | null
The CRL will be checked at each period and generated if a new entry was added
|
|
triggers
object | null (TriggersManagedCertificateAuthority)
Triggers that apply on events on this CA
|
onCRLGeneration
array of string | null
Name of the triggers to execute when this CA's CRL are generated (manually or via cron)
|
onCRLGenerationError
array of string | null
Name of the triggers to execute when an error occurs when this CA's CRL are generated (manually or via cron)
|
onCRLGenerationRecover
array of string | null
Name of the triggers to execute when this CA's CRL are successfully generated when the last status was error
|
onCRLSync
array of string | null
Name of the triggers to execute when this CA's CRL are synced
|
onCRLExpiration
array of string | null
Name of the triggers to execute when this CA's CRL expire
|
onCAExpiration
array of string | null
Name of the triggers to execute when this CA expires
|
|
If true, the Certificate Authority is revoked
|
revocationDate
string | null
The revocation date of this Certificate Authority
|
revocationReason
string | null (Revocation Reason)
The revocation reason of this Certificate Authority
|
enableOCSP
boolean | null
|
Name of the OCSP signer associated with this CA
|
compromised
boolean | null
Define this CA as compromised for OCSP responses
|
archiveCutoff
object (Archive Cutoff)
OCSP Archive Cutoff configuration
|
Archive cutoff mode. issuer uses the CA's expiration date and retention uses the retentionPeriod defined below
Enum
issuer
retention
|
retentionPeriod
string | null
retention mode: The time during which the certificate will be kept in retention after expiration
|
|
altPrivateKey
object | null (Signer Private Key)
This signer's private key
|
The Keystore in which the key is stored
|
The name of the key in the keystore
|
hashAlgorithm
string | null (Hash Algorithm)
The Hash Algorithm to use when signing with this key
Enum
SHA1
SHA224
SHA256
SHA384
SHA512
SHA3_224
SHA3_256
SHA3_384
SHA3_512
|
For RSA Keys in PKCS11 Keystores only: use the PSS signature algorithm
|
|
privateKey
object (Signer Private Key)
This signer's private key
|
The Keystore in which the key is stored
|
The name of the key in the keystore
|
hashAlgorithm
string | null (Hash Algorithm)
The Hash Algorithm to use when signing with this key
Enum
SHA1
SHA224
SHA256
SHA384
SHA512
SHA3_224
SHA3_256
SHA3_384
SHA3_512
|
For RSA Keys in PKCS11 Keystores only: use the PSS signature algorithm
|
|