Certificate attributes
This section lists the filterable certificate attributes and indicates whether the CryptoAPI and Netscape signature engines return identical strings when returning certificate attributes with identical data. If you want to filter for specific filteridentity tag values without specifying an engine, filter for strings that can be recognized by both RSA-compliant signature engines. If you want to filter for other tag values, your organization should maintain a policy stating the preferred signature engine for attaining digital certificates.
For example, if you wanted to filter for certificates encrypted with an md5 algorithm, you would find that Netscape and CryptoAPI return different strings for this attribute. CryptoAPI returns md5RSA, while Netscape returns PKCS #1 MD5 With RSA Encryption. If you listed either of these attributes as a tag value, you would return certificates from only one engine.
| Subject: CN | the certificate owner’s common name | Yes |
| Subject: E | the certificate owner’s email address | Yes |
| Subject: T | the certificate owner’s locality | Yes |
| Subject: ST | the certificate owner’s state of residence | Yes |
| Subject: O | the organization to which the certificate owner belongs | Yes |
| Subject: OU | the name of the organizational unit to which the certificate owner belongs | Yes |
| Subject: C | the certificate owner’s country of residence | Yes |
| Subject: STREET | the certificate owner’s street address | Yes |
| Subject: ALL | the certificate owner’s complete distinguished name | Yes |
| Issuer: CN | the certificate issuer’s common name | Yes |
| Issuer: E | the certificate issuer’s email address | Yes |
| Issuer: T | the certificate issuer’s locality | Yes |
| Issuer: ST | the certificate issuer’s state of residence | Yes |
| Issuer: O | the organization to which the certificate issuer belongs | Yes |
| Issuer: OU | the name of the organizational unit to which the certificate issuer belongs | Yes |
| Issuer: C | the certificate issuer’s country of residence | Yes |
| Issuer: STREET | the certificate issuer’s street address | Yes |
| Issuer: ALL | the certificate issuer’s complete distinguished name | Yes |
| Serial | the certificate’s serial number | No |
| SignatureAlg | the algorithm used by the Certificate Authority to sign the certificate | No |
| BeginDate | the date at which the certificate becomes valid | Yes |
| EndDate | the date at which the certificate becomes invalid | Yes |
| PublicKey | the certificate’s public key | No |
| FriendlyName | the certificate’s friendly name | No |
| KeyUsage: ALL | indicates the purposes for which the certificate’s public key can be used | No |
| KeyUsage: Digital Signature | this certificate’s public key can create digital signatures | No |
| KeyUsage: NonRepudiation | this certificate’s public key can be used for non-repudiation | No |
| KeyUsage: KeyEncipherment | this certificate’s public key can encipher keys | No |
| KeyUsage: DataEncipherment | this certificate’s public key can encipher data | No |
| KeyUsage: KeyAgreement | this certificate’s public key can ensure that other public keys match their certificates. Used in certificate management. | No |
| KeyUsage: KeyCertSign | this certificate’s public key can sign key certificates | No |
| KeyUsage: CRLSign | this certificate’s public key can sign Certificate Revocation Lists | No |
| KeyUsage: EncipherOnly | this certificate’s public key can only encipher keys or data | No |
| KeyUsage: DecipherOnly | this certificate’s public key can only decipher keys or data | No |
| BasicConstraints | behaves as though the fCA tag was specified | Yes |
| BasicConstraints: fCA | determines whether the subject of this certificate can act as a Certificate Authority (1 if true, 0 if false) | Yes |
| BasicConstraints: pathLength | the number of CA certificates that can follow this certificate in a certification path. | Yes |
| Policies | returns all of the Object Identification Numbers of the certificate's policies in a comma separated string | Yes |
| PolicyConstraints: requireExplicitPolicy | indicates whether an explicit policy is required | Yes |
| PolicyConstraints: inhibitPolicyMapping | indicates whether policy mapping is inhibited | Yes |
| Engine: Name | the name of the signature engine that created the certificate | Yes |