Glossary of Terms

AIA (Authority Information Access)

The AIA extension is a field within a certificate that contains a Uniform Resource Identifier (URI) used to locate an item required to validate this certificate. The URI can point to an OCSP responder or to a certificate from the issuing Certificate Authority (CA).


The process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint).

CA (Certificate Authority)

A server, in a trusted organization, which issues digital certificates. The CA manages the issuance of new certificates and revokes certificates that are no longer valid for authentication. A CA may also delegate certificate issuance authority to one or more intermediate CAs creating a chain of trust. The highest level CA certificate is referred to as the trusted root.

CDP (CRL Distribution Point)

A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate.

CRL (Certificate Revocation List)

A digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.

digital certificate

An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted.

digital signature

Used to confirm the authenticity and integrity of a transmitted message. Typically, the sender holds the private key of a public/private key pair and the recipient holds the public key. To create the signature, the sender computes a hash from the message, and then encrypts this value with its private key. The recipient decrypts the signature using the sender's public key, and independently computes the hash of the received message. If the decrypted and calculated values match, the recipient trusts that the sender holds the private key, and that the message has not been altered in transit.


Also called a message digest, a hash or hash value is a fixed-length number generated from variable-length digital data. The hash is substantially smaller than the original data, and is generated by a formula in such a way that it is statistically unlikely that some other data will produce the same hash value.

OCSP (Online Certificate Status Protocol)

A protocol (using the HTTP transport) that can be used as an alternative to CRL checking to confirm whether a certificate is valid. An OCSP responder responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown". Using OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs.


PKCS (Public Key Cryptography Standards) is a set of standards devised and published by RSA laboratories that enable compatibility among public key cryptography implementations. Different PKCS standards identify specifications for particular cryptographic uses. PKI Services Manager uses the following PKCS standards:

PKCS#7 can be used to sign and/or encrypt messages. It can also be used to store certificates and to disseminate certificates. PKI Services Manager can use certificates stored in this format.

PKCS#10 is used for certificate requests to a Certificate Authority (CA).

PKI Services Manager Configuration Directory

The configuration directory stores the pki_config and pki_map configuration files. It also contains the public/private key pair to establish its identity to calling applications. The default location is:

UNIX: /opt/attachmate/pkid/config/

Windows: \ProgramData\Attachmate\ReflectionPKI\config\

PKI Services Manager Configuration File

Configuration settings are saved to pki_config. The default location is:

UNIX: /opt/attachmate/pkid/config/pki_config

Windows: \ProgramData\Attachmate\ReflectionPKI\config\pki_config

PKI Services Manager Data Directory

The user data directory is configurable. The default is:.

UNIX: /opt/attachmate/pkid

Windows: \ProgramData\Attachmate\ReflectionPKI\

PKI Services Manager Map File

The map file binds certificates to one or more allowed identities using mapping rules.

UNIX: /opt/attachmate/pkid/config/pki_mapfile

Windows: \ProgramData\Attachmate\ReflectionPKI\config\pki_mapfile

public key/private key

Public keys and private keys are pairs of cryptographic keys that are used to encrypt or decrypt data. Data encrypted with the public key can only be decrypted with the private key; and data encrypted with the private key can only be decrypted with the public key.

regular expression

Often abbreviated as regex, a regular expression is a string of characters that describes one or more matching strings. Within a regular expression, some characters have a predefined meaning that determines what qualifies as a match. For example, the regular expression "t.*t" matches any word that starts and ends in the letter t, while the regular expression "text" matches only itself.

root CA certificate

A certificate created and signed by a trusted certification authority that is the final trust point in a certificate chain of trust. In a trusted root CA, the certificate's Issuer is the same as the certificate's Subject, and, in the Basic Constraints field, the Subject type must be set to CA.

self-signed certificate

A certificate that was created and signed by an end-entity (usually a server) where the Issuer equals the Subject. When this is created by a server, the CA bit in the Basic Constraints is not set, and this certificate can only vouch for itself; it cannot sign other certificates.

trust anchor

A certificate that can be used as the final trust point in a certificate chain of trust. Note: PKI Services Manager validates certificates using only those trust anchors that have been explicitly configured for use by PKI Services Manager. You can configure a trust anchor using a root CA certificate, an intermediate CA certificate, or a self-signed certificate (one which can only validate itself).

URI (Uniform Resource Identifier)

A string of characters that represents the location or address of a resource. URIs can be used to locate resources on the Internet or on an LDAP server.

Windows common application data folder

The application data folder is hidden by default.

The default is: \ProgramData\