Extract certificate attributes

Overview

You can use the Extract Certificate Attributes filter to extract the X.509 attributes from a certificate stored in a specified API Gateway message attribute.

Typically, this filter is used in conjunction with the Find Certificate filter, which is found in the Certificates category of message filters. In this case, the Find Certificate filter can locate a certificate from one of many possible sources (for example, the message itself, an HTTP header, or the API Gateway certificate store), and store it in a message attribute, which is usually the certificate attribute.

The Extract Certificate Attributes filter can then retrieve this certificate and extract the X.509 attributes from it. For example, you can then use a Validate Message Attribute filter to check the values of the attributes.

Generated message attributes

The Extract Certificate Attributes filter extracts the X.509 certificate attributes and populates a number of API Gateway message attributes with their respective values. The following table lists the message attributes that are generated by this filter, and shows what each of these attributes contains after the filter has executed:

Generated message attribute Contains
attribute.lookup.list This user attribute list contains an attribute for each Distinguished Name (DName) attribute for the subject (cn, o, l, and so on). The user attributes are named cn, o, and so on.
attribute.subject.id The DName of the subject of the cert.
attribute.subject.format Set to X509DName.
cert.basic.constraints If the subject is a Certificate Authority (CA), and the BasicConstraints extension exists, this field gives the maximum number of CA certificates that may follow this certificate in a certification path. A value of zero indicates that only an end-entity certificate may follow in the path. This contains the value of pathLenConstraint if the BasicConstraints extension is present in the certificate and the subject of the certificate is a CA, otherwise its value is -1. If the subject of the certificate is a CA and pathLenConstraint does not appear, there is no limit to the allowed length of the certification path.
cert.extended.key.usage A String representing the OBJECT IDENTIFIERs of the ExtKeyUsageSyntax field of the extended key usage extension (OID = 2.5.29.37). It indicates a purpose for which the certified public key may be used, in addition to, or instead of, the basic purposes indicated in the key usage extension field.
cert.hash.md5 An MD5 hash of the certificate.
cert.hash.sha1 A SHA1 hash of the certificate.
cert.issuer.alternative.name An alternative name for the certificate issuer from the IssuerAltName extension (OID = 2.5.29.18).
cert.issuer.id The DName of the issuer of the certificate.
cert.issuer.id.c The c attribute of the issuer of the certificate, if it exists.
cert.issuer.id.cn The cn attribute of the issuer of the certificate, if it exists.
cert.issuer.id.emailaddress The email or emailaddress attribute of the issuer of the certificate, if it exists.
cert.issuer.id.l The l attribute of the issuer of the certificate, if it exists.
cert.issuer.id.o The o attribute of the issuer of the certificate, if it exists.
cert.issuer.id.ou The ou attribute of the issuer of the certificate, if it exists.
cert.issuer.id.st The st attribute of the issuer of the certificate, if it exists.
cert.key.usage.cRLSign Set to true or false if the key can be used for crlSign.
cert.key.usage.dataEncipherment Set to true or false if the key can be used for dataEncipherment.
cert.key.usage.decipherOnly Set to true or false if the key can be used for decipherOnly.
cert.key.usage.digitalSignature Set to true or false if the key can be used for digital signature.
cert.key.usage.encipherOnly Set to true or false if the key can be used for encipherOnly.
cert.key.usage.keyAgreement Set to true or false if the key can be used for keyAgreement.
cert.key.usage.keyCertSign Set to true or false if the key can be used for keyCertSign.
cert.key.usage.keyEncipherment Set to true or false if the key can be used for keyEncipherment.
cert.key.usage.nonRepudiation Set to true or false if the key can be used for non-repudiation.
cert.not.after Not after validity period date.
cert.not.before Not before validity period date.
cert.serial.number Certificate serial number.
cert.signature.algorithm The signature algorithm for certificate signature.
cert.subject.alternative.name An alternative name for the subject from the SubjectAltName extension (OID = 2.5.29.17).
cert.subject.id The DName of the subject of the certificate.
cert.subject.id.c The c attribute of the subject of the certificate, if it exists.
cert.subject.id.cn The cn attribute of the subject of the certificate, if it exists.
cert.subject.id.emailaddress The email or emailaddress attribute of the subject of the certificate, if it exists.
cert.subject.id.l The l attribute of the subject of the certificate, if it exists.
cert.subject.id.o The o attribute of the subject of the certificate, if it exists.
cert.subject.id.ou The ou attribute of the subject of the certificate, if it exists.
cert.subject.id.st The st attribute of the subject of the certificate, if it exists.
cert.version The certificate version.

Configuration

Configure the following fields:

Name:
Enter a name for the filter to display in a policy.

Certificate Attribute:
The Extract Certificate Attributes filter extracts the attributes from the certificate contained in the message attribute selected or entered here. The selected attribute must contain a single certificate only.

Include Distribution Points:
If the certificate contains CRL Distribution Point X.509 extension attributes (which point to the location of the certificate issuer's CRL), you can also extract these and store them in message attributes by selecting this check box. The extracted distribution points are stored in message attributes with a distributionpoint. prefix.

Related Links