X.509 certificates

Edit online

An X.509 certificate couples an identity to an RSA or ECC public key. This certificate can be used in PKA services in lieu of a PKA public key token. An X.509 certificate may only be used in verbs consistent with its usage attributes.

Note: Only the 31-bit verbs are listed, but this also applies to the 64-bit equivalent services.

digitalSignature -- Verbs: CSNDDSV.
nonRepudiation -- Verbs: CSNDDSV.
keyEncipherment -- Verbs: CSNDSYG, CSNDSYX, CSNDPKE.
dataEncipherment -- Verbs: CSNDPKE.
keyAgreement -- Verbs: None.
keyCertSign -- Verbs: CSNDDSV.
cRLSign -- Verbs: CSNDDSV.
encipherOnly -- Verbs: N/A.
decipherOnly -- Verbs: N/A.

Certificates may also be used in the ANSI TR-34 verbs (CSNDT34B, CSNDT34C, CSNDT34D, CSNDT34R). See the verb descriptions for information on what usage is required, if any, for each input certificate. If no key usage attribute is present in the certificate, the certificate may be used in any service.

One way to create a certificate with specific key usage attributes is to use the Public Infrastructure Certificate (CSNDPIC) callable service to create a certificate signing request (CSR) with the desired key usage attributes. This CSR can then be signed by a Certificate Authority (CA) to create a certificate with the desired key usage attributes.

When using operational certificates that are to be validated against an issuer CA root certificate, the root certificate of the issuer CA must be loaded on all CEX6C and higher coprocessors using the Trusted Key Entry (TKE) workstation before the operational certificate can be used successfully.