Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

ICertServerExit::GetCertificateProperty method

The GetCertificateProperty method returns a named property from a certificate.

Syntax


HRESULT GetCertificateProperty(
  [in]   const BSTR strPropertyName,
  [in]   LONG PropertyType,
  [out]  VARIANT *pvarPropertyValue
);

Parameters

strPropertyName [in]

Specifies the named property to retrieve. There is a stock set of certificate properties, referred to as the name properties, that are always valid and can be retrieved by calling this method. For information about these properties, see Name Properties. Other properties that can be retrieved include the certificate properties.

The following properties are unique to certificates and can be read by GetCertificateProperty.

ValueMeaning
NotBefore
Date/Time

Certificate start validity date

NotAfter
Date/Time

Certificate expiration date

PublicKeyAlgorithm
String

Subject key algorithm object identifier (OID)

RawCertificate
Binary

Raw certificate bytes

RawPublicKey
Binary

Subject key

RawPublicKeyAlgorithmParameters
Binary

Subject key algorithm parameters

RequestID
Signed Long

Internal request ID

SerialNumber
String

Certificate serial number

 

The certificate's DistinguishedName, RawName, and SerialNumber properties are accessible by GetCertificateProperty only after the policy module has finished processing the request and the certificate is issued.

The following properties apply to the certification authority. The context must be zero to read any of these properties. The context is set to zero when the ICertServerExit object is initially created. It can also be set to zero by invoking the SetContext method.

ValueMeaning
CAType
Long

Type of certification authority. This can be one of the following values (defined in Certsrv.h):

ENUM_ENTERPRISE_ROOTCA

ENUM_ENTERPRISE_SUBCA

ENUM_STANDALONE_ROOTCA

ENUM_STANDALONE_SUBCA

CertCount
Long

Number of CA certificates. This value will be one plus the number of times that the CA has been renewed. For information about renewal, see Certification Authority Renewal.

CertState
Long

CA certificate state. This can be one of the following values:

CA_DISP_ERROR: The CA certificate was never issued.
CA_DISP_REVOKED: The CA certificate has been revoked.
CA_DISP_VALID: The CA certificate is still valid.
CA_DISP_INVALID: The CA certificate has expired.

This property name may be appended with '.#', where # represents a CA certificate index (or, in the case of the CRLSuffix property, a CRL index). For information about certificate and CRL indices, see Certification Authority Renewal.

CertSuffix
String

Suffix for the CA certificate. The suffix is an empty string for CA certificates with an index of zero; otherwise, the suffix (in the form of "(nn)", where nn is the certificate index) is applied to all URLs that point to CA certificates stored in files or directory service objects. For non-LDAP URLs, the suffix typically appears before the ".crt" text. For LDAP URLs, the suffix is typically appended to the first 'CN=' in the full distinguished name.

This property name may be appended with '.#', where # represents a CA certificate index (or, in the case of the CRLSuffix property, a CRL index). For information about certificate and CRL indices, see Certification Authority Renewal.

CRLIndex
Long

Certificate revocation list (CRL) index. Appending a certificate index to this property name allows you to retrieve the CRL index. The CRL index does not necessarily match the certificate index. For more information, see Certification.

This property name may be appended with '.#', where # represents a CA certificate index (or, in the case of the CRLSuffix property, a CRL index). For information about certificate and CRL indices, see Certification Authority Renewal.

CRLState
Long

CRL state. This can be one of the following values:

CA_DISP_ERROR: The CRL is managed by another CA certificate.
CA_DISP_REVOKED: All unexpired CA certificates that use this CA certificate's CRL have been revoked.
CA_DISP_VALID: The CA certificate is still being used to publish CRLs as needed.
CA_DISP_INVALID: All CA certificates that use this CA certificate's CRL are expired.

This property name may be appended with '.#', where # represents a CA certificate index (or, in the case of the CRLSuffix property, a CRL index). For information about certificate and CRL indices, see Certification Authority Renewal.

CRLSuffix
String

Suffix for the CA CRL. The suffix is an empty string for CRLs with an index of zero; otherwise, the suffix (in the form of "(nn)", where nn is the CRL index) is applied to all URLs pointing to CRLs stored in files or directory service objects. For non-LDAP URLs, the suffix typically appears before the ".crl" text. For LDAP URLs, the suffix typically is appended to the first 'CN=' in the full distinguished name.

This property name may be appended with '.#', where # represents a CA certificate index (or, in the case of the CRLSuffix property, a CRL index). For information about certificate and CRL indices, see Certification Authority Renewal.

fUseDS
Long

Indicates whether the CA uses a directory service. This can be either of the following values:

  • 0=no
  • 1=yes
MachineDNSName
String

DNS name of server hosting the CA.

ModuleRegistryLocation
String

Registry location available for use by the module.

RawCACertificate
Binary

CA certificate.

This property name may be appended with '.#', where # represents a CA certificate index (or, in the case of the CRLSuffix property, a CRL index). For information about certificate and CRL indices, see Certification Authority Renewal.

RawCRL
Binary

CA's certificate revocation list (CRL).

This property name may be appended with '.#', where # represents a CA certificate index (or, in the case of the CRLSuffix property, a CRL index). For information about certificate and CRL indices, see Certification Authority Renewal.

RequesterCAAccess
Long

Indicates whether the requester is authorized to request the certificate. This can be either of the following values:

  • 0=no
  • 1=yes

(The Certification Authority MMC snap-in can be used to control certificate request permissions.)

SanitizedCAName
String

Sanitized name for the CA. For information about sanitized CA names, see ICertConfig::GetConfig.

SanitizedShortName
String

Sanitized name for the CA, shortened and containing a hash value to ensure uniqueness.

 

PropertyType [in]

Specifies the property type. The type can be one of the following.

ValueMeaning
PROPTYPE_LONG

Signed long data

PROPTYPE_DATE

Date/time

PROPTYPE_BINARY

Binary data

PROPTYPE_STRING

Unicode string data

 

pvarPropertyValue [out]

A pointer to a VARIANT that will contain the property value. The returned value is encoded as a BSTR. Use the SysStringByteLen function to retrieve the length of the BSTR. The binary BLOB is stored as a Distinguished Encoding Rules encoded X.509 certificate.

Return value

C++

If the method succeeds, the method returns S_OK.

If the method fails, it returns an HRESULT value that indicates the error. For a list of common error codes, see Common HRESULT Values.

VB

The return value is the requested property value.

Remarks

You must call ICertServerExit::SetContext prior to using this method.

Examples


BSTR    bstrPropName = NULL;
VARIANT varProp;

VariantInit(&varProp);

// Set the property name to RequestID.
bstrPropName = SysAllocString(L"RequestID");

// Retrieve the certificate property.
// pCertServerExit has been used to call SetContext previously.
hr = pCertServerExit->GetCertificateProperty(bstrPropName,
                                             PROPTYPE_LONG,
                                             &varProp );
if (FAILED(hr))
{
    printf("Failed GetCertificateProperty [%x]\n", hr);
    goto error;
}
else
{
    // Successfully retrieved property; use varProp as needed.
    // ...
}

// Done processing.
if (NULL != bstrPropName)
    SysFreeString(bstrPropName);
VariantClear(&varProp);

Requirements

Minimum supported client

None supported

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Certif.h (include Certsrv.h)

Library

Certidl.lib

DLL

Certcli.dll

IID

IID_ICertServerExit is defined as 4BA9EB90-732C-11D0-8816-00A0C903B83C

See also

Name Properties
ICertServerExit
ICertServerExit::SetContext

 

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.