SubjectName specifies the attributes of the distinguished name to be used in the subject of the certificate.

The subject of the certificate indicates the identity of the LXI device.

AltDnsName specifies the alternate DNS name to be used in the certificate.

AltIPAddress specifies the alternate IP Address to be used in the certificate.

Multiple IP addresses may be specified as a comma separated list.

ExpirationDateTime indicates the time at which the requested certificate will expire.

RULE: The expiration date and time shall be expressed in ASN.1 format using ASN.1 GeneralizedTime per RFC5280.

OBSERVATION: The device will need to convert GeneralizedTime to UTC time if the year is between 1950 and 2050.

SignatureAlgorithm specifies the signature algorithm that the certificate keyset should use. The string is the Object IDentifier (OID) string specified in RFC 3279 or its hierarchy of successors. The OID uniquely identifies the signature algorithm and is a string of integers separated by decimal points. For instance the OID string for SHA256 with RSA Encryption is "1.2.840.113549.1.1.11".

Vendors are encouraged to use state of the art cryptographic algorithms when generating certificates or signing requests and thus keep the software up-to-date. Failure to do so may result in devices being easily compromised. For instance, the MD5 and SHA-1 algorithms have been deprecated and are known to be inadequate and should not be used to generated new certificates or sign requests. However, existing certificates should be supported.

If absent the signature algorithm is device dependent. This differs from sending an empty string which produces an error.

RULE: If the device does not support the requested signature algorithm, then the certificate request shall fail. The returned LXIProblemDetails/Title element shall contain an indication that the SignatureAlgorithm was invalid. The LXIProblemDetails/Instance shall have a comma separated list of accepted values.

OBSERVATION: Clients can determine the supported signature algorithms by sending the SignatureAlgorithm element with an empty string for the SignatureAlgorithm.

The LXICertificateRequest schema with the SignatureAlgorithm is used in both the LXI Create Certificate API and LXI CSR GET API.

• When used in the LXI Create Certificate API SignatureAlgorithm specifies the signature algorithm and the key type used to create the LDevID.
• For the LXI CSR GET API, SignatureAlgorithm indicates how the returned CSR has been signed by the device, including both the algorithm and the public/private key type. Note that the Certificate Authority (CA) chooses the certificate signature algorithm independently of this field. Note that the client (such as a CA) will use the public key from the CSR to ensure that the instrument has the corresponding private key.

CertificateExtension permits the user to request arbitrary certificate fields based on the object identifier and field values.

CommonName specifies the common name subject attribute.

Organization specifies the organization subject attribute.

OrganizationUnit specifies the organization unit subject attribute.

Locality specifies the locality subject attribute.

State specifies the state subject attribute.

Country specifies the country subject attribute.

SerialNumber specifies the serial number subject attribute.

ExtraSubjectAttribute specifies additional subject attributes not included in LXICertificateRequest using the Object ID and value.

ObjectID is the object ID that indicates the subject attribute as specified by the OpenGroup.

The format of this string is a series of dot-separated integers.

RULE: ObjectID shall be included.

ObjectValue is the subject value associated with the specified attribute.

RULE: ObjectValue shall be included.

ObjectID is the object ID that indicates the certificate extension as specified by the OpenGroup.

The format of this string is a series of dot-separated integers.

RULE: ObjectID shall be included.

Critical indicates that this certificate extension is critical.

ObjectValue is the subject value associated with the certificate field.

RULE: ObjectValue shall be included.