For the latest version, please use Certificate Lifecycle Manager 6.5.0!

Glossary

A

API Client: A service account in MTG CLM enabling programmatic certificate operations through REST APIs.

Approval Workflow: A multistep process requiring authorization from designated approvers before certificate operations can proceed.

Audit Logging: Comprehensive record of all certificate-related activities for compliance and forensic review.

Authentication: The process of verifying the identity of users, devices, or services requesting access.

B

Basic Authentication: HTTP authentication using username and password credentials (RFC 7617).

Bridge CA: A CA connecting multiple PKI hierarchies for trust relationships.

C

Certificate Authority (CA): A trusted entity that issues digital certificates and signs requests. In MTG CLM the CA hierarchy can internal, external or mixed.

Certificate Discovery: Automated process for finding and inventorying certificates in your infrastructure.

Certificate Lifecycle: Full process from certificate request to expiration, renewal or revocation.

Certificate Provider: A configured integration in MTG CLM to request certificates from a specific Certificate Authority. Supported types: MTG CARA, Microsoft NDES, Microsoft CA, GlobalSign, PSW.

Certificate Repository: Centralized MTG CLM system for storing and distributing certificates and revocation information.

Certificate Revocation List (CRL): Published list of revoked certificates before expiration.

Certificate Signing Request (CSR): Message sent for certificate issuance, containing a public key and identification data.

Client Certificate: Provides authentication and secure access for users/devices.

Code Signing Certificate: Used to digitally sign software to prove authenticity.

Compliance: Adherence to regulatory requirements and certificate management standards.

Cross-Certification: Trust between two PKI hierarchies established by cross-signing.

Cryptographic Algorithm: Mathematical procedure for encryption, signing, and key generation.

D

Device Certificate: Certificate used on IoT devices and hardware for machine authentication.

Digital Signature: Cryptographic mechanism for authentication and data integrity.

Domain Validated (DV) Certificate: TLS certificate confirming domain ownership.

E

End Entity: The subject—user, device, or service—owning a certificate. MTG CLM requires realm assignment for management.

End Entity Password: Credential allowing an end entity in MTG CLM to request certificates through self-service operations.

Extended Validation (EV) Certificate: A certificate with rigorous organization validation for strong trust indicators.

H

Hardware Security Module (HSM): Device providing secure key storage and crypto operations for CAs.

Hierarchical Trust: PKI model with inherited trust through intermediate and root CAs.

I

Intermediate CA: CA operating under a Root CA, often issuing end entity certificates.

K

Key Protection: Measures to safeguard private keys from compromise.

M

Multi-Domain Certificate: Secures multiple domains using Subject Alternative Names (SAN).

N

Notification: Automated alerts in MTG CLM (e.g. expiration, status changes), configurable by administrators. Notification templates allow customization of messages.

O

OCSP (Online Certificate Status Protocol): Protocol for real-time certificate status checks.

OCSP Stapling: Server includes OCSP response with certificate for improved validation.

Organization Validated (OV) Certificate: TLS certificate adding organization verification to domain check.

P

PKI (Public Key Infrastructure): Framework for secure communication via certificates and keys.

PKCS (Public Key Cryptography Standards): Family of cryptographic standards, including PKCS#10/PKCS#12.

Policy: Rules and parameters defining issuance and management of certificates.
In MTG CLM: Policies are realm-bound rules defining certificate issuance verification, authorities, cryptographic parameters, and end entity constraints.

Policy Enforcement: Automatic application of certificate policy rules during lifecycle operations.

Progressive Disclosure: Documentation technique for presenting information in accessible layers.

R

RA Operator: MTG CLM role managing certificates in realms, handling day-to-day operations.

Realm: Logical container in MTG CLM for separation of certificate environments, policies, users, and entities.

Registration Authority (RA): Entity verifying certificate requests before CA processing.

Role-Based Access Control (RBAC): Permissions assigned by user roles.

Root CA: Top-level CA in PKI hierarchy.

S

S/MIME Certificate: Encrypts/signs email per S/MIME standards.

Self-Service Certificate Management: The capability for end entities to request and renew certificates using assigned credentials. In MTG CLM, end entity passwords bound to specific policies enable this capability.

Single Domain Certificate: TLS certificate for one specific domain.

T

TLS Certificate: Credential enabling encrypted server-client connections.

Trust Model: Defines PKI trust relationships.

U

User: An individual with access to MTG CLM. Authenticated via username/password and, depending on configuration, can use X.509 certificate-based authentication.

W

Web of Trust: Network of inter-vouching users for key authentication.

Wildcard Certificate: TLS certificate for all first-level subdomains of a main domain.

X

X.509: The standard format for digital certificates.