Dictionaries

Here is the list of available dictionary keys to use in computation rules, depending on the usage.

General

The dictionary keys listed here are available in all protocols.

All indexes start at 1.

Principal

This dictionary regroups the information of the user making the request, the 'principal'.

Key Description Type

Key	Description	Type
principal.identifier	The identifier of the user	Single value
principal.team	The teams of the user	Multi valued
principal.team.<index>	The team at index `index`	Single value
principal.name	The name of the user	Single value
principal.mail	The email of the user	Single value
principal.provider.name	The name of the identity provider of the principal	Single value
principal.certificate.subject	The values of the principal certificate subject	Subject dictionary
principal.certificate.san	The values of the principal certificate sans	Sans dictionary
principal.certificate.extension	The values of the principal certificate extensions	Extensions dictionary

principal.identifier

The identifier of the user

Single value

principal.team

The teams of the user

Multi valued

principal.team.<index>

The team at index index

Single value

principal.name

The name of the user

Single value

principal.mail

The email of the user

Single value

principal.provider.name

The name of the identity provider of the principal

Single value

principal.certificate.subject

The values of the principal certificate subject

Subject dictionary

principal.certificate.san

The values of the principal certificate sans

Sans dictionary

principal.certificate.extension

The values of the principal certificate extensions

Extensions dictionary

CSR

This dictionary regroups the information of the csr used for enrollment. It can be sent via a client (horizon-cli, estclient, sscep) or via web interfaces with WebRA protocol.

This only concerns decentralized enrollment.

Key	Description	Type
csr.subject	The values of the csr subject	Subject dictionary
csr.san	The values of the csr sans	Sans dictionary
csr.extension	The values of the csr extensions	Extensions dictionary

Key

Description

Type

csr.subject

The values of the csr subject

Subject dictionary

csr.san

The values of the csr sans

Sans dictionary

csr.extension

The values of the csr extensions

Extensions dictionary

WebRA

Enrollment request

Certificate fields can be filled by the user on Horizon interface. This information is available through the following dictionary.

Key Description Type

Key	Description	Type
webra.enroll.subject	The values of the subject defined in the challenge request	Subject dictionary
webra.enroll.san	The values of the sans defined in the challenge request	Sans dictionary
webra.enroll.extension	The values of the extensions defined in the challenge request	Extensions dictionary
webra.enroll.label.<label name>	The value of label `label name` defined in the challenge request	Single value
webra.enroll.metadata.<metadata name>	The value of metadata `metadata name` defined in the challenge request	Single value
webra.enroll.mail	The value of the contact email defined in the challenge request	Single value
webra.enroll.owner	The value of the owner defined in the challenge request	Single value
webra.enroll.team	The value of the team defined in the challenge request	Single value

webra.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

webra.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

webra.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

webra.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

webra.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

webra.enroll.mail

The value of the contact email defined in the challenge request

Single value

webra.enroll.owner

The value of the owner defined in the challenge request

Single value

webra.enroll.team

The value of the team defined in the challenge request

Single value

EST

Enrollment request

In case of a prevalidated enroll, certificate fields can be filled by the user on Horizon interface. This information is available through the following dictionary.

Key Description Type

Key	Description	Type
est.enroll.subject	The values of the subject defined in the challenge request	Subject dictionary
est.enroll.san	The values of the sans defined in the challenge request	Sans dictionary
est.enroll.extension	The values of the extensions defined in the challenge request	Extensions dictionary
est.enroll.label.<label name>	The value of label `label name` defined in the challenge request	Single value
est.enroll.metadata.<metadata name>	The value of metadata `metadata name` defined in the challenge request	Single value
est.enroll.mail	The value of the contact email defined in the challenge request	Single value
est.enroll.owner	The value of the owner defined in the challenge request	Single value
est.enroll.team	The value of the team defined in the challenge request	Single value

est.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

est.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

est.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

est.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

est.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

est.enroll.mail

The value of the contact email defined in the challenge request

Single value

est.enroll.owner

The value of the owner defined in the challenge request

Single value

est.enroll.team

The value of the team defined in the challenge request

Single value

URL passed parameters

Horizon allows the use of URL parameters to pass certificate metadata info. These are notably used by the horizon-cli client.

Key Description Type

Key	Description	Type
url.enroll.label.<label name>	The value of label `label name` passed in the URL	Single value
url.enroll.metadata.<metadata name>	The value of metadata `metadata name` passed in the URL	Single value
url.enroll.mail	The value of the contact email passed in the URL	Single value
url.enroll.owner	The value of the owner passed in the URL	Single value
url.enroll.team	The value of the team passed in the URL	Single value

url.enroll.label.<label name>

The value of label label name passed in the URL

Single value

url.enroll.metadata.<metadata name>

The value of metadata metadata name passed in the URL

Single value

url.enroll.mail

The value of the contact email passed in the URL

Single value

url.enroll.owner

The value of the owner passed in the URL

Single value

url.enroll.team

The value of the team passed in the URL

Single value

SCEP

Enrollment request

In case of a prevalidated enroll, certificate fields can be filled by the user on Horizon interface. This information is available through the following dictionary.

Key Description Type

Key	Description	Type
scep.enroll.subject	The values of the subject defined in the challenge request	Subject dictionary
scep.enroll.san	The values of the sans defined in the challenge request	Sans dictionary
scep.enroll.extension	The values of the extensions defined in the challenge request	Extensions dictionary
scep.enroll.label.<label name>	The value of label `label name` defined in the challenge request	Single value
scep.enroll.metadata.<metadata name>	The value of metadata `metadata name` defined in the challenge request	Single value
scep.enroll.mail	The value of the contact email defined in the challenge request	Single value
scep.enroll.owner	The value of the owner defined in the challenge request	Single value
scep.enroll.team	The value of the team defined in the challenge request	Single value

scep.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

scep.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

scep.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

scep.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

scep.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

scep.enroll.mail

The value of the contact email defined in the challenge request

Single value

scep.enroll.owner

The value of the owner defined in the challenge request

Single value

scep.enroll.team

The value of the team defined in the challenge request

Single value

URL passed parameters

Horizon allows the use of URL parameters to pass certificate metadata info. These are notably used by the horizon-cli client.

Key Description Type

Key	Description	Type
url.enroll.label.<label name>	The value of label `label name` passed in the URL	Single value
url.enroll.metadata.<metadata name>	The value of metadata `metadata name` passed in the URL	Single value
url.enroll.mail	The value of the contact email passed in the URL	Single value
url.enroll.owner	The value of the owner passed in the URL	Single value
url.enroll.team	The value of the team passed in the URL	Single value

url.enroll.label.<label name>

The value of label label name passed in the URL

Single value

url.enroll.metadata.<metadata name>

The value of metadata metadata name passed in the URL

Single value

url.enroll.mail

The value of the contact email passed in the URL

Single value

url.enroll.owner

The value of the owner passed in the URL

Single value

url.enroll.team

The value of the team passed in the URL

Single value

ACME

Order

This dictionary regroups the information of the acme order used for enrollment.

Key Description Type

Key	Description	Type
acme.order.initialip	The initial IP of the acme order	Single value
acme.order.label.<label name>	The value of label `label name`	Single value
acme.order.metadata.<metadata name>	The value of metadata `metadata name`	Single value
acme.order.mail	The value of the contact email of the acme order	Single value
acme.order.owner	The value of the owner of the acme order	Single value
acme.order.team	The value of the team of the acme order	Single value

acme.order.initialip

The initial IP of the acme order

Single value

acme.order.label.<label name>

The value of label label name

Single value

acme.order.metadata.<metadata name>

The value of metadata metadata name

Single value

acme.order.mail

The value of the contact email of the acme order

Single value

acme.order.owner

The value of the owner of the acme order

Single value

acme.order.team

The value of the team of the acme order

Single value

Account

This dictionary regroups the information of the acme account used for enrollment.

Key Description Type

Key	Description	Type
acme.account.initialip	The initial IP of the acme account	Single value
acme.account.contact.<index>	The value of contact email address of the account at index `index`	Single value

acme.account.initialip

The initial IP of the acme account

Single value

acme.account.contact.<index>

The value of contact email address of the account at index index

Single value

CRMP

Enrollment request

Certificate fields can be filled by the user on CMS interface. This information is available through the following dictionary.

Key Description Type

Key	Description	Type
crmp.enroll.subject	The values of the subject defined in the challenge request	Subject dictionary
crmp.enroll.san	The values of the sans defined in the challenge request	Sans dictionary
crmp.enroll.extension	The values of the extensions defined in the challenge request	Extensions dictionary
crmp.enroll.label.<label name>	The value of label `label name` defined in the challenge request	Single value
crmp.enroll.metadata.<metadata name>	The value of metadata `metadata name` defined in the challenge request	Single value
crmp.enroll.mail	The value of the contact email defined in the challenge request	Single value
crmp.enroll.owner	The value of the owner defined in the challenge request	Single value
crmp.enroll.team	The value of the team defined in the challenge request	Single value

crmp.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

crmp.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

crmp.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

crmp.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

crmp.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

crmp.enroll.mail

The value of the contact email defined in the challenge request

Single value

crmp.enroll.owner

The value of the owner defined in the challenge request

Single value

crmp.enroll.team

The value of the team defined in the challenge request

Single value

WCCE

Caller identity

The information of the caller identity in a WCCE enroll.

Key	Description	Type
calleridentity.dn	The dn of the caller identity	Single value
calleridentity.cn	The cn of the caller identity	Single value
calleridentity.msguid	The guid of the caller identity	Single value
calleridentity.msupn	The upn of the caller identity	Single value
calleridentity.c	The country of the caller identity	Single value
calleridentity.company	The company of the caller identity	Single value
calleridentity.department	The department of the caller identity	Single value
calleridentity.description	The description of the caller identity	Single value
calleridentity.displayname	The display name of the caller identity	Single value
calleridentity.dnshostname	The dns host name of the caller identity	Single value
calleridentity.employeeid	The employee id of the caller identity	Single value
calleridentity.employeenumber	The employee number of the caller identity	Single value
calleridentity.mail	The email of the caller identity	Single value
calleridentity.o	The organization of the caller identity	Single value
calleridentity.ou	The OU of the caller identity	Single value
calleridentity.samaccountname	The sam account name of the caller identity	Single value
calleridentity.serialnumber	The serial number of the caller identity	Single value
calleridentity.sn	The sn of the caller identity	Single value
calleridentity.title	The title of the caller identity	Single value
calleridentity.uid	The uid of the caller identity	Single value
calleridentity.sid	The sid of the caller identity	Single value

Key

Description

Type

calleridentity.dn

The dn of the caller identity

Single value

calleridentity.cn

The cn of the caller identity

Single value

calleridentity.msguid

The guid of the caller identity

Single value

calleridentity.msupn

The upn of the caller identity

Single value

calleridentity.c

The country of the caller identity

Single value

calleridentity.company

The company of the caller identity

Single value

calleridentity.department

The department of the caller identity

Single value

calleridentity.description

The description of the caller identity

Single value

calleridentity.displayname

The display name of the caller identity

Single value

calleridentity.dnshostname

The dns host name of the caller identity

Single value

calleridentity.employeeid

The employee id of the caller identity

Single value

calleridentity.employeenumber

The employee number of the caller identity

Single value

calleridentity.mail

The email of the caller identity

Single value

calleridentity.o

The organization of the caller identity

Single value

calleridentity.ou

The OU of the caller identity

Single value

calleridentity.samaccountname

The sam account name of the caller identity

Single value

calleridentity.serialnumber

The serial number of the caller identity

Single value

calleridentity.sn

The sn of the caller identity

Single value

calleridentity.title

The title of the caller identity

Single value

calleridentity.uid

The uid of the caller identity

Single value

calleridentity.sid

The sid of the caller identity

Single value

Sub dictionaries

These dictionary cannot be used alone but can be completed with one of the other ones. For example, a valid key is:

principal.certificate.subject.cn.1

Subject dictionary

Key Description Type

Key	Description	Type
subject.<dn field type>	All values of subject field of type `dn field type`	Multi valued
subject.<dn field type>.<index>	Value of subject field of type `dn field type` at index `index`	Single value

subject.<dn field type>

All values of subject field of type dn field type

Multi valued

subject.<dn field type>.<index>

Value of subject field of type dn field type at index index

Single value

The valid dn field types are: cn, uid, serialnumber, surname, givenname, unstructuredaddress, unstructuredname, e, ou, organizationidentifier, uniqueidentifier, street, st, l, o, c, description, dc.

Sans dictionary

Key Description Type

Key	Description	Type
san.<san field type>	All values of SAN fields of type `san field type`	Multi valued
san.<san field type>.<index>	Value of subject field of type `san field type` at index `index`	Single value

san.<san field type>

All values of SAN fields of type san field type

Multi valued

san.<san field type>.<index>

Value of subject field of type san field type at index index

Single value

The valid SAN field types are: rfc822name, dnsname, uri, ipaddress, othername_upn, othername_guid.

Extensions dictionary

Key Description Type

Key	Description	Type
extension.<extension type>	Value of extension of type `extension type`	Single value

extension.<extension type>

Value of extension of type extension type

Single value

The valid extension types are: ms_sid, ms_template.