7 Appendix B: Product Behavior

Article
06/24/2021

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.

Windows Client Releases	Server Role	Client Role
Windows 2000 Professional operating system	No	Yes
Windows XP operating system	No	Yes
Windows Vista operating system	No	Yes
Windows 7 operating system	No	Yes
Windows 8 operating system	No	Yes
Windows 8.1 operating system	No	Yes
Windows 10 operating system	No	Yes
Windows 11 operating system	No	Yes

Windows Server Releases	Server Role	Client Role
Windows 2000 Server operating system	Yes	Yes
Windows Server 2003 operating system	Yes	Yes
Windows Server 2008 operating system	Yes	Yes
Windows Server 2008 R2 operating system	Yes	Yes
Windows Server 2012 operating system	Yes	Yes
Windows Server 2012 R2 operating system	Yes	Yes
Windows Server 2016 operating system	Yes	Yes
Windows Server 2019 operating system	Yes	Yes
Windows Server 2022 operating system	Yes	Yes
Windows Server 2025 operating system	Yes	Yes

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.1: The following values are used by the Certificate Services Remote Administration Protocol client and server.

Constant/value	Description
d99e6e71-fc88-11d0-b498-00a0c90312f3	UUID for the ICertAdminD interface
7fe0d935-dda6-443f-85d0-1cfb58fe41dd	UUID for the ICertAdminD2 interface

<2> Section 2.1: On a Windows computer, if NULL authentication identity and credentials is passed, the RPC_C_AUTHN_GSS_NEGOTIATE security provider uses the identity and credentials from the process token of the process in which the higher layer application is running. This means the account on which the Certificate Services Remote Administration Protocol client is running is the account whose identity will be sent as the identity of the ORPC call.

<3> Section 2.2.2.2: Windows Server 2003 uses key recovery certificates that contain the following X.509v3 extensions specific to Windows:

Application Policies (Policy Identifier = Key Recovery Agent)
Certificate Template Information

Key recovery certificates, when issued by a Windows enterprise CA, are automatically written to the configuration container of Active Directory. The actual certificates are published to the userCertificate attribute (as specified in [RFC4523]) of the key recovery agent (KRA) object when issued to a member of the domain administrators group in Active Directory.

<4> Section 3.1.1: Windows implements the version-specific Request, Attribute, Extension, and CRL database tables as detailed in the following tables.

Request Tables

The following table details the Request table for Windows 2000 Server.

Column identifier	Data type	Maximum size of data	Column name (ADM element)*	Column display name
0x1000	0x10001	4 bytes	"Request.RequestID" (Request_Request_ID)	"Request ID"
0x1001	0x3	65536 bytes	"Request.RawRequest" (Request_Raw_Request)	"Binary Request"
0x1002	0x3	16384 bytes	"Request.RawOldCertificate"	"Old Certificate"
0x1003	0x4	32768 bytes	"Request.RequestAttributes" (Request_Request_Attributes)	"Request Attributes"
0x1004	0x1	4 bytes	"Request.RequestType" (Request_Request_Type)	"Request Type"
0x1005	0x1	4 bytes	"Request.RequestFlags" (Request_Request_Flags)	"Request Flags"
0x1006	0x1	4 bytes	"Request.Status"	"Request Status"
0x1007	0x1	4 bytes	"Request.StatusCode" (Request_Status_Code)	"Request Status Code"
0x1008	0x10001	4 bytes	"Request.Disposition" (Request_Disposition)	"Request Disposition"
0x1009	0x4	8192 bytes	"Request.DispositionMessage" (Request_Disposition_Message)	"Request Disposition Message"
0x100a	0x2	8 bytes	"Request.SubmittedWhen" (Request_Submitted_When)	"Request Submission Date"
0x100b	0x2	8 bytes	"Request.ResolvedWhen" (Request_Resolved_When)	"Request Resolution Date"
0x100c	0x2	8 bytes	"Request.RevokedWhen" (Request_Revoked_When)	"Revocation Date"
0x100d	0x2	8 bytes	"Request.RevokedEffectiveWhen" (Request_Revocation_Date)	"Effective Revocation Date"
0x100e	0x1	4 bytes	"Request.RevokedReason" (Request_Revoked_Reason)	"Revocation Reason"
0x100f	0x4	2048 bytes	"Request.RequesterName" (Request_Requester_Name)	"Requester Name"
0x1010	0x4	2048 bytes	"Request.RequesterAddress"	"Requester Address"
0x1011	0x4	8192 bytes	"Request.DistinguishedName" (Request_Distinguished_Name)	"Request Distinguished Name"
0x1012	0x3	4096 bytes	"Request.RawName" (Request_Raw_Name)	"Request Binary Name"
0x1013	0x1	4 bytes	"Request.NameType"	"Request Name Type"
0x1014	0x4	8192 bytes	"Request.Country" (Request_Country)	"Request Country/Region"
0x1015	0x4	8192 bytes	"Request.Organization" (Request_Organization)	"Request Organization"
0x1016	0x4	8192 bytes	"Request.OrgUnit" (Request_Org_Unit)	"Request Organization Unit"
0x1017	0x4	8192 bytes	"Request.CommonName" (Request_Common_Name)	"Request Common Name"
0x1018	0x4	8192 bytes	"Request.Locality" (Request_Locality)	"Request City"
0x1019	0x4	8192 bytes	"Request.State" (Request_State)	"Request State"
0x101a	0x4	8192 bytes	"Request.Title" (Request_Title)	"Request Title"
0x101b	0x4	8192 bytes	"Request.GivenName" (Request_Given_Name)	"Request First Name"
0x101c	0x4	8192 bytes	"Request.Initials" (Request_Initials)	"Request Initials"
0x101d	0x4	8192 bytes	"Request.SurName" (Request_SurName)	"Request Last Name"
0x101e	0x4	8192 bytes	"Request.DomainComponent" (Request_Domain_Component)	"Request Domain Component"
0x101f	0x4	8192 bytes	"Request.EMail" (Request_Email)	"Request Email Address"
0x1020	0x4	8192 bytes	"Request.StreetAddress" (Request_Street_Address)	"Request Street Address"
0x1021	0x4	8192 bytes	"Request.UnstructuredName" (Request_Unstructured_Name)	"Request Unstructured Name"
0x1022	0x4	8192 bytes	"Request.UnstructuredAddress" (Request_Unstructured_Address)	"Request Unstructured Address"
0x1023	0x4	8192 bytes	"Request.DeviceSerialNumber" (Request_Device_Serial_Number)	"Request Device Serial Number"
0x2000	0x10001	4 bytes	"RequestID" (Request_ID)	"Issued Request ID"
0x2001	0x3	16384 bytes	"RawCertificate" (Raw_Certificate)	"Binary Certificate"
0x2002	0x4	128 bytes	"CertificateHash" (Certificate_Hash)	"Certificate Hash"
0x2003	0x4	254 bytes	"CertificateType" (Certificate_Template)	"Certificate Type"
0x2004	0x10004	128 bytes	"SerialNumber" (Serial_Number)	"Serial Number"
0x2005	0x1	4 bytes	"IssuerNameId" (Issuer_Name_Id)	"Issuer Name ID"
0x2006	0x2	8 bytes	"NotBefore" (Not_Before)	"Certificate Effective Date"
0x2007	0x10002	8 bytes	"NotAfter" (Not_After)	"Certificate Expiration Date"
0x2008	0x3	4096 bytes	"RawPublicKey" (Raw_Public_Key)	"Binary Public Key"
0x2009	0x4	254 bytes	"PublicKeyAlgorithm" (Public_Key_Algorithm)	"Public Key Algorithm"
0x200a	0x3	4096 bytes	"RawPublicKeyAlgorithmParameters" (Raw_Public_Key_Algorithm_Parameters)	"Public Key Algorithm Parameters"
0x200b	0x4	8192 bytes	"DistinguishedName" (Distinguished_Name)	"Issued Distinguished Name"
0x200c	0x3	4096bytes	"RawName" (Raw_Name)	"Issued Binary Name"
0x200d	0x1	4 bytes	"NameType"	"Issued Name Type"
0x200e	0x4	8192 bytes	"Country" (Country)	"Issued Country/Region"
0x200f	0x4	8192 bytes	"Organization" (Organization)	"Issued Organization"
0x2010	0x4	8192 bytes	"OrgUnit" (Org_Unit)	"Issued Organization Unit"
0x2011	0x10004	8192 bytes	"CommonName" (Common_Name)	"Issued Common Name"
0x2012	0x4	8192 bytes	"Locality" (Locality)	"Issued City"
0x2013	0x4	8192 bytes	"State" (State)	"Issued State"
0x2014	0x4	8192 bytes	"Title" (Title)	"Issued Title"
0x2015	0x4	8192 bytes	"GivenName" (Given_Name)	"Issued First Name"
0x2016	0x4	8192 bytes	"Initials" (Initials)	"Issued Initials"
0x2017	0x4	8192 bytes	"SurName" (SurName)	"Issued Last Name"
0x2018	0x4	8192 bytes	"DomainComponent" (Domain_Component)	"Issued Domain Component"
0x2019	0x4	8192 bytes	"EMail" (Email)	"Issued Email address"
0x201a	0x4	8192 bytes	"StreetAddress" (Street_Address)	"Issued Street Address"
0x201b	0x4	8192 bytes	"UnstructuredName" (Unstructured_Name)	"Issued Unstructured Name"
0x201c	0x4	8192 bytes	"UnstructuredAddress" (Unstructured_Address)	"Issued Unstructured Address"
0x201d	0x4	8192 bytes	"DeviceSerialNumber" (Device_Serial_Number)	"Issued Device Serial Number"
0x201e	0x3	16384 bytes	"RawSMIMECapabilities"	"Issued SMIME Capabilities"

* Not all database columns have associated ADM elements.

The following table details the Request table for Windows Server 2003.

Column identifier	Data Type	Maximum size of data	Column name (ADM element)	Column display name
0x1000	0x10001	4 bytes	"Request.RequestID" (Request_Request_ID)	"Request ID"
0x1001	0x3	65536 bytes	"Request.RawRequest" (Request_Raw_Request)	"Binary Request"
0x1002	0x3	65536 bytes	"Request.RawArchivedKey" (Request_Raw_ArchivedKey)	"Archived Key"
0x1003	0x4	8192 bytes	"Request.KeyRecoveryHashes" (Request_Key_Recovery_Hashes)	"Key Recovery Agent Hashes"
0x1004	0x3	16384 bytes	"Request.RawOldCertificate" (Request_Raw_Old_Certificate)	"Old Certificate"
0x1005	0x4	32768 bytes	"Request.RequestAttributes" (Request_Request_Attributes)	"Request Attributes"
0x1006	0x1	4 bytes	"Request.RequestType" (Request_Request_Type)	"Request Type"
0x1007	0x1	4 bytes	"Request.RequestFlags" (Request_Request_Flags)	"Request Flags"
0x1008	0x1	4 bytes	"Request.StatusCode" (Request_Status_Code)	"Request Status Code"
0x1009	0x10001	4 bytes	"Request.Disposition" (Request_Disposition)	"Request Disposition"
0x100a	0x4	8192 bytes	"Request.DispositionMessage" (Request_Disposition_Message)	"Request Disposition Message"
0x100b	0x10002	8 bytes	"Request.SubmittedWhen" (Request_Submitted_When)	"Request Submission Date"
0x100c	0x10002	8 bytes	"Request.ResolvedWhen" (Request_Resolved_When)	"Request Resolution Date"
0x100d	0x2	8 bytes	"Request.RevokedWhen" (Request_Revoked_When)	"Revocation Date"
0x100e	0x10002	8 bytes	"Request.RevokedEffectiveWhen" (Request_Revocation_Date)	"Effective Revocation Date"
0x100f	0x1	4 bytes	"Request.RevokedReason" (Request_Revoked_Reason)	"Revocation Reason"
0x1010	0x10004	2048 bytes	"Request.RequesterName" (Request_Requester_Name)	"Requester Name"
0x1011	0x10004	2048 bytes	"Request.CallerName" (Request_Caller_Name)	"Caller Name"
0x1012	0x4	8192 bytes	"Request.SignerPolicies" (Request_Signer_Policies)	"Signer Policies"
0x1013	0x4	8192 bytes	"Request.SignerApplicationPolicies" (Request_Signer_Application_Policies)	"Signer Application Policies"
0x1014	0x1	4 bytes	"Request.Officer" (Request_Officer)	"Officer"
0x1015	0x4	8192 bytes	"Request.DistinguishedName" (Request_Distinguished_Name)	"Request Distinguished Name"
0x1016	0x3	4096 bytes	"Request.RawName" (Request_Raw_Name)	"Request Binary Name"
0x1017	0x4	8192 bytes	"Request.Country" (Request_Country)	"Request Country/Region"
0x1018	0x4	8192 bytes	"Request.Organization" (Request_Organization)	"Request Organization"
0x1019	0x4	8192 bytes	"Request.OrgUnit" (Request_Org_Unit)	"Request Organization Unit"
0x101a	0x4	8192 bytes	"Request.CommonName" (Request_Common_Name)	"Request Common Name"
0x101b	0x4	8192 bytes	"Request.Locality" (Request_Locality)	"Request City"
0x101c	0x4	8192 bytes	"Request.State" (Request_State)	"Request State"
0x101d	0x4	8192 bytes	"Request.Title" (Request_Title)	"Request Title"
0x101e	0x4	8192 bytes	"Request.GivenName" (Request_Given_Name)	"Request First Name"
0x101f	0x4	8192 bytes	"Request.Initials" (Request_Initials)	"Request Initials"
0x1020	0x4	8192 bytes	"Request.SurName" (Request_SurName)	"Request Last Name"
0x1021	0x4	8192 bytes	"Request.DomainComponent" (Request_Domain_Component)	"Request Domain Component"
0x1022	0x4	8192 bytes	"Request.EMail" (Request_Email)	"Request Email Address"
0x1023	0x4	8192 bytes	"Request.StreetAddress" (Request_Street_Address)	"Request Street Address"
0x1024	0x4	8192 bytes	"Request.UnstructuredName" (Request_Unstructured_Name)	"Request Unstructured Name"
0x1025	0x4	8192 bytes	"Request.UnstructuredAddress" (Request_Unstructured_Address)	"Request Unstructured Address"
0x1026	0x4	8192 bytes	"Request.DeviceSerialNumber" (Request_Device_Serial_Number)	"Request Device Serial Number"
0x2000	0x10001	4 bytes	"RequestID" (Request_ID)	"Issued Request ID"
0x2001	0x3	16384 bytes	"RawCertificate" (Raw_Certificate)	"Binary Certificate"
0x2002	0x10004	128 bytes	"CertificateHash" (Certificate_Hash)	"Certificate Hash"
0x2003	0x10004	254 bytes	"CertificateTemplate" (Certificate_Template)	"Certificate Template"
0x2004	0x1	4 bytes	"EnrollmentFlags" (Enrollment_Flags)	"Template Enrollment Flags"
0x2005	0x1	4 bytes	"GeneralFlags" (General_Flags)	"Template General Flags"
0x2006	0x10004	128 bytes	"SerialNumber" (Serial_Number)	"Serial Number"
0x2007	0x1	4 bytes	"IssuerNameId" (Issuer_Name_Id)	"Issuer Name ID"
0x2008	0x2	8 bytes	"NotBefore" (Not_Before)	"Certificate Effective Date"
0x2009	0x10002	8 bytes	"NotAfter" (Not_After)	"Certificate Expiration Date"
0x200a	0x4	128 bytes	"SubjectKeyIdentifier" (Subject_Key_Identifier)	"Issued Subject Key Identifier"
0x200b	0x3	4096 bytes	"RawPublicKey" (Raw_Public_Key)	"Binary Public Key"
0x200c	0x1	4 bytes	"PublicKeyLength" (Public_Key_Length)	"Public Key Length"
0x200d	0x4	254 bytes	"PublicKeyAlgorithm" (Public_Key_Algorithm)	"Public Key Algorithm"
0x200e	0x3	4096 bytes	"RawPublicKeyAlgorithmParameters" (Raw_Public_Key_Algorithm_Parameters)	"Public Key Algorithm Parameters"
0x200f	0x10004	2048 bytes	"UPN" (UPN)	"User Principal Name"
0x2010	0x4	8192 bytes	"DistinguishedName" (Distinguished_Name)	"Issued Distinguished Name"
0x2011	0x3	4096 bytes	"RawName" (Raw_Name)	"Issued Binary Name"
0x2012	0x4	8192 bytes	"Country" (Country)	"Issued Country/Region"
0x2013	0x4	8192 bytes	"Organization" (Organization)	"Issued Organization"
0x2014	0x4	8192 bytes	"OrgUnit" (Org_Unit)	"Issued Organization Unit"
0x2015	0x10004	8192 bytes	"CommonName" (Common_Name)	"Issued Common Name"
0x2016	0x4	8192 bytes	"Locality" (Locality)	"Issued City"
0x2017	0x4	8192 bytes	"State" (State)	"Issued State"
0x2018	0x4	8192 bytes	"Title" (Title)	"Issued Title"
0x2019	0x4	8192 bytes	"GivenName" (Given_Name)	"Issued First Name"
0x201a	0x4	8192 bytes	"Initials" (Initials)	"Issued Initials"
0x201b	0x4	8192 bytes	"SurName" (SurName)	"Issued Last Name"
0x201c	0x4	8192 bytes	"DomainComponent" (Domain_Component)	"Issued Domain Component"
0x201d	0x4	8192 bytes	"EMail" (Email)	"Issued Email address"
0x201e	0x4	8192 bytes	"StreetAddress" (Street_Address)	"Issued Street Address"
0x201f	0x4	8192 bytes	"UnstructuredName" (Unstructured_Name)	"Issued Unstructured Name"
0x2020	0x4	8192 bytes	"UnstructuredAddress" (Unstructured_Address)	"Issued Unstructured Address"
0x2021	0x4	8192 bytes	"DeviceSerialNumber" (Device_Serial_Number)	"Issued Device Serial Number"

The following table details the Request table for Windows Server 2008 and Windows Server 2008 R2.

Column identifier	Data type	Maximum size of data	Column name (ADM element)	Column display name
0x1000	0x10001	4 bytes	Request.RequestID (Request_Request_ID)	"Request ID"
0x1001	0x3	65536 bytes	"Request.RawRequest" (Request_Raw_Request)	"Binary Request"
0x1002	0x3	65536 bytes	"Request.RawArchivedKey" (Request_Raw_Archived_Key)	"Archived Key"
0x1003	0x4	8192 bytes	"Request.KeyRecoveryHashes" (Request_Key_Recovery_Hashes)	"Key Recovery Agent Hashes"
0x1004	0x3	16384 bytes	"Request.RawOldCertificate" (Request_Raw_Old_Certificate)	"Old Certificate"
0x1005	0x4	32768 bytes	"Request.RequestAttributes" (Request_Request_Attributes)	"Request Attributes"
0x1006	0x1	4 bytes	"Request.RequestType" (Request_Request_Type)	"Request Type"
0x1007	0x1	4 bytes	"Request.RequestFlags" (Request_Request_Flags)	"Request Flags"
0x1008	0x1	4 bytes	"Request.StatusCode" (Request_Status_Code)	"Request Status Code"
0x1009	0x10001	4 bytes	"Request.Disposition" (Request_Disposition)	"Request Disposition"
0x100a	0x4	8192 bytes	"Request.DispositionMessage" (Request_Disposition_Message)	"Request Disposition Message"
0x100b	0x10002	8 bytes	"Request.SubmittedWhen" (Request_Submitted_When)	"Request Submission Date"
0x100c	0x10002	8 bytes	"Request.ResolvedWhen" (Request_Resolved_When)	"Request Resolution Date"
0x100d	0x2	8 bytes	"Request.RevokedWhen" (Request_Revoked_When)	"Revocation Date"
0x100e	0x10002	8 bytes	"Request.RevokedEffectiveWhen" (Request_Revocation_Date)	"Effective Revocation Date"
0x100f	0x1	4 bytes	"Request.RevokedReason" (Request_Revoked_Reason)	"Revocation Reason"
0x1010	0x10004	2048 bytes	"Request.RequesterName" (Request_Requester_Name)	"Requester Name"
0x1011	0x10004	2048 bytes	"Request.CallerName" (Request_Caller_Name)	"Caller Name"
0x1012	0x4	8192 bytes	"Request.SignerPolicies" (Request_Signer_Policies)	"Signer Policies"
0x1013	0x4	8192 bytes	"Request.SignerApplicationPolicies" (Request_Signer_Application_Policies)	"Signer Application Policies"
0x1014	0x1	4 bytes	"Request.Officer" (Request_Officer)	"Officer"
0x1015	0x4	8192 bytes	"Request.DistinguishedName" (Request_Distinguished_Name)	"Request Distinguished Name"
0x1016	0x3	4096 bytes	"Request.RawName" (Request_Raw_Name)	"Request Binary Name"
0x1017	0x4	8192 bytes	"Request.Country" (Request_Country)	"Request Country/Region"
0x1018	0x4	8192 bytes	"Request.Organization" (Request_Organization)	"Request Organization"
0x1019	0x4	8192 bytes	"Request.OrgUnit" (Request_Org_Unit)	"Request Organization Unit"
0x101a	0x4	8192 bytes	"Request.CommonName" (Request_Common_Name)	"Request Common Name"
0x101b	0x4	8192 bytes	"Request.Locality" (Request_Locality)	"Request City"
0x101c	0x4	8192 bytes	"Request.State" (Request_State)	"Request State"
0x101d	0x4	8192 bytes	"Request.Title" (Request_Title)	"Request Title"
0x101e	0x4	8192 bytes	"Request.GivenName" (Request_Given_Name)	"Request First Name"
0x101f	0x4	8192 bytes	"Request.Initials" (Request_Initials)	"Request Initials"
0x1020	0x4	8192 bytes	"Request.SurName" (Request_SurName)	"Request Last Name"
0x1021	0x4	8192 bytes	"Request.DomainComponent" (Request_Domain_Component)	"Request Domain Component"
0x1022	0x4	8192 bytes	"Request.EMail" (Request_Email)	"Request Email Address"
0x1023	0x4	8192 bytes	"Request.StreetAddress" (Request_Street_Address)	"Request Street Address"
0x1024	0x4	8192 bytes	"Request.UnstructuredName" (Request_Unstructured_Name)	"Request Unstructured Name"
0x1025	0x4	8192 bytes	"Request.UnstructuredAddress" (Request_Unstructured_Address)	"Request Unstructured Address"
0x1026	0x4	8192 bytes	"Request.DeviceSerialNumber" (Request_Device_Serial_Number)	"Request Device Serial Number"
0x2000	0x10001	4 bytes	"RequestID" (Request_ID)	"Issued Request ID"
0x2001	0x3	16384 bytes	"RawCertificate" (Raw_Certificate)	"Binary Certificate"
0x2002	0x10004	128 bytes	"CertificateHash" (Certificate_Hash)	"Certificate Hash"
0x2003	0x10004	254 bytes	"CertificateTemplate" (Certificate_Template)	"Certificate Template"
0x2004	0x1	4 bytes	"EnrollmentFlags" (Enrollment_Flags)	"Template Enrollment Flags"
0x2005	0x1	4 bytes	"GeneralFlags" (General_Flags)	"Template General Flags"
0x2006	0x10004	128 bytes	"SerialNumber" (Serial_Number)	"Serial Number"
0x2007	0x1	4 bytes	"IssuerNameId" (Issuer_Name_Id)	"Issuer Name ID"
0x2008	0x2	8 bytes	"NotBefore" (Not_Before)	"Certificate Effective Date"
0x2009	0x10002	8 bytes	"NotAfter" (Not_After)	"Certificate Expiration Date"
0x200a	0x4	128 bytes	"SubjectKeyIdentifier" (Subject_Key_Identifier)	"Issued Subject Key Identifier"
0x200b	0x3	4096 bytes	"RawPublicKey" (Raw_Public_Key)	"Binary Public Key"
0x200c	0x1	4 bytes	"PublicKeyLength" (Public_Key_Length)	"Public Key Length"
0x200d	0x4	254 bytes	"PublicKeyAlgorithm" (Public_Key_Algorithm)	"Public Key Algorithm"
0x200e	0x3	4096 bytes	"RawPublicKeyAlgorithmParameters" (Raw_Public_Key_Algorithm_Parameters)	"Public Key Algorithm Parameters"
0x200f	0x1	4 bytes	"PublishExpiredCertInCRL" (Publish_Expired_Cert_In_CRL)	"Publish Expired Certificate in CRL"
0x2010	0x10004	2048 bytes	"UPN" (UPN)	"User Principal Name"
0x2011	0x4	8192 bytes	"DistinguishedName" (Distinguished_Name)	"Issued Distinguished Name"
0x2012	0x3	4096 bytes	"RawName" (Raw_Name)	"Issued Binary Name"
0x2013	0x4	8192 bytes	"Country" (Country)	"Issued Country/Region"
0x2014	0x4	8192 bytes	"Organization" (Organization)	"Issued Organization"
0x2015	0x4	8192 bytes	"OrgUnit" (Org_Unit)	"Issued Organization Unit"
0x2016	0x10004	8192 bytes	"CommonName" (Common_Name)	"Issued Common Name"
0x2017	0x4	8192 bytes	"Locality" (Locality)	"Issued City"
0x2018	0x4	8192 bytes	"State" (State)	"Issued State"
0x2019	0x4	8192 bytes	"Title" (Title)	"Issued Title"
0x201a	0x4	8192 bytes	"GivenName" (Given_Name)	"Issued First Name"
0x201b	0x4	8192 bytes	"Initials" (Initials)	"Issued Initials"
0x201c	0x4	8192 bytes	"SurName" (SurName)	"Issued Last Name"
0x201d	0x4	8192 bytes	"DomainComponent" (Domain_Component)	"Issued Domain Component"
0x201e	0x4	8192 bytes	"EMail" (Email)	"Issued Email address"
0x201f	0x4	8192 bytes	"StreetAddress" (Street_Address)	"Issued Street Address"
0x2020	0x4	8192 bytes	"UnstructuredName" (Unstructured_Name)	"Issued Unstructured Name"
0x2021	0x4	8192 bytes	"UnstructuredAddress" (Unstructured_Address)	"Issued Unstructured Address"
0x2022	0x4	8192 bytes	"DeviceSerialNumber" (Device_Serial_Number)	"Issued Device Serial Number"

The following table details the Request table for Windows Server 2012 and later.

Column identifier	Data type	Maximum size of data	Column name (ADM element)	Column display name
0x1000	0x10001	4 bytes	Request.RequestID (Request_Request_ID)	"Request ID"
0x1001	0x3	65536 bytes	"Request.RawRequest" (Request_Raw_Request)	"Binary Request"
0x1002	0x3	65536 bytes	"Request.RawArchivedKey" (Request_Raw_Archived_Key)	"Archived Key"
0x1003	0x4	8192 bytes	"Request.KeyRecoveryHashes" (Request_Key_Recovery_Hashes)	"Key Recovery Agent Hashes"
0x1004	0x3	16384 bytes	"Request.RawOldCertificate" (Request_Raw_Old_Certificate)	"Old Certificate"
0x1005	0x4	32768 bytes	"Request.RequestAttributes" (Request_Request_Attributes)	"Request Attributes"
0x1006	0x1	4 bytes	"Request.RequestType" (Request_Request_Type)	"Request Type"
0x1007	0x1	4 bytes	"Request.RequestFlags" (Request_Request_Flags)	"Request Flags"
0x1008	0x1	4 bytes	"Request.StatusCode" (Request_Status_Code)	"Request Status Code"
0x1009	0x10001	4 bytes	"Request.Disposition" (Request_Disposition)	"Request Disposition"
0x100a	0x4	8192 bytes	"Request.DispositionMessage" (Request_Disposition_Message)	"Request Disposition Message"
0x100b	0x10002	8 bytes	"Request.SubmittedWhen" (Request_Submitted_When)	"Request Submission Date"
0x100c	0x10002	8 bytes	"Request.ResolvedWhen" (Request_Resolved_When)	"Request Resolution Date"
0x100d	0x2	8 bytes	"Request.RevokedWhen" (Request_Revoked_When)	"Revocation Date"
0x100e	0x10002	8 bytes	"Request.RevokedEffectiveWhen" (Request_Revocation_Date)	"Effective Revocation Date"
0x100f	0x1	4 bytes	"Request.RevokedReason" (Request_Revoked_Reason)	"Revocation Reason"
0x1010	0x10004	2048 bytes	"Request.RequesterName" (Request_Requester_Name)	"Requester Name"
0x1011	0x10004	2048 bytes	"Request.CallerName" (Request_Caller_Name)	"Caller Name"
0x1012	0x4	8192 bytes	"Request.SignerPolicies" (Request_Signer_Policies)	"Signer Policies"
0x1013	0x4	8192 bytes	"Request.SignerApplicationPolicies" (Request_Signer_Application_Policies)	"Signer Application Policies"
0x1014	0x1	4 bytes	"Request.Officer" (Request_Officer)	"Officer"
0x1015	0x4	8192 bytes	"Request.DistinguishedName" (Request_Distinguished_Name)	"Request Distinguished Name"
0x1016	0x3	4096 bytes	"Request.RawName" (Request_Raw_Name)	"Request Binary Name"
0x1017	0x4	8192 bytes	"Request.Country" (Request_Country)	"Request Country/Region"
0x1018	0x4	8192 bytes	"Request.Organization" (Request_Organization)	"Request Organization"
0x1019	0x4	8192 bytes	"Request.OrgUnit" (Request_Org_Unit)	"Request Organization Unit"
0x101a	0x4	8192 bytes	"Request.CommonName" (Request_Common_Name)	"Request Common Name"
0x101b	0x4	8192 bytes	"Request.Locality" (Request_Locality)	"Request City"
0x101c	0x4	8192 bytes	"Request.State" (Request_State)	"Request State"
0x101d	0x4	8192 bytes	"Request.Title" (Request_Title)	"Request Title"
0x101e	0x4	8192 bytes	"Request.GivenName" (Request_Given_Name)	"Request First Name"
0x101f	0x4	8192 bytes	"Request.Initials" (Request_Initials)	"Request Initials"
0x1020	0x4	8192 bytes	"Request.SurName" (Request_SurName)	"Request Last Name"
0x1021	0x4	8192 bytes	"Request.DomainComponent" (Request_Domain_Component)	"Request Domain Component"
0x1022	0x4	8192 bytes	"Request.EMail" (Request_Email)	"Request Email Address"
0x1023	0x4	8192 bytes	"Request.StreetAddress" (Request_Street_Address)	"Request Street Address"
0x1024	0x4	8192 bytes	"Request.UnstructuredName" (Request_Unstructured_Name)	"Request Unstructured Name"
0x1025	0x4	8192 bytes	"Request.UnstructuredAddress" (Request_Unstructured_Address)	"Request Unstructured Address"
0x1026	0x4	8192 bytes	"Request.DeviceSerialNumber" (Request_Device_Serial_Number)	"Request Device Serial Number"
0x1027 *	0x3	4096 bytes	"Request.AttestationChallenge" (Request_Attestation_Challenge)	"Attestation Challenge"
0x1028 *	0x4	144 bytes	"Request.EndorsementKeyHash" (Request_Endorsement_Key_Hash)	"Endorsement Key Hash"
0x1029 *	0x4	144 bytes	"Request.EndorsementCertificateHash" (Request_Endorsement_Certificate_Hash)	"Endorsement Certificate Hash"
0x2000	0x10001	4 bytes	"RequestID" (Request_ID)	"Issued Request ID"
0x2001	0x3	16384 bytes	"RawCertificate" (Raw_Certificate)	"Binary Certificate"
0x2002	0x10004	128 bytes	"CertificateHash" (Certificate_Hash)	"Certificate Hash"
0x2003	0x10004	254 bytes	"CertificateTemplate" (Certificate_Template)	"Certificate Template"
0x2004	0x1	4 bytes	"EnrollmentFlags" (Enrollment_Flags)	"Template Enrollment Flags"
0x2005	0x1	4 bytes	"GeneralFlags" (General_Flags)	"Template General Flags"
0x2006	0x1	4 bytes	"PrivateKeyFlags" (PrivateKey_Flags)	"Private Key Flags"
0x2007	0x10004	128 bytes	"SerialNumber" (Serial_Number)	"Serial Number"
0x2008	0x1	4 bytes	"IssuerNameId" (Issuer_Name_Id)	"Issuer Name ID"
0x2009	0x2	8 bytes	"NotBefore" (Not_Before)	"Certificate Effective Date"
0x200a	0x10002	8 bytes	"NotAfter" (Not_After)	"Certificate Expiration Date"
0x200b	0x4	128 bytes	"SubjectKeyIdentifier" (Subject_Key_Identifier)	"Issued Subject Key Identifier"
0x200c	0x3	4096 bytes	"RawPublicKey" (Raw_Public_Key)	"Binary Public Key"
0x200d	0x1	4 bytes	"PublicKeyLength" (Public_Key_Length)	"Public Key Length"
0x200e	0x4	254 bytes	"PublicKeyAlgorithm" (Public_Key_Algorithm)	"Public Key Algorithm"
0x200f	0x3	4096 bytes	"RawPublicKeyAlgorithmParameters" (Raw_Public_Key_Algorithm_Parameters)	"Public Key Algorithm Parameters"
0x2010	0x1	4 bytes	"PublishExpiredCertInCRL" (Publish_Expired_Cert_In_CRL)	"Publish Expired Certificate in CRL"
0x2011	0x10004	2048 bytes	"UPN" (UPN)	"User Principal Name"
0x2012	0x4	8192 bytes	"DistinguishedName" (Distinguished_Name)	"Issued Distinguished Name"
0x2013	0x3	4096 bytes	"RawName" (Raw_Name)	"Issued Binary Name"
0x2014	0x4	8192 bytes	"Country" (Country)	"Issued Country/Region"
0x2015	0x4	8192 bytes	"Organization" (Organization)	"Issued Organization"
0x2016	0x4	8192 bytes	"OrgUnit" (Org_Unit)	"Issued Organization Unit"
0x2017	0x10004	8192 bytes	"CommonName" (Common_Name)	"Issued Common Name"
0x2018	0x4	8192 bytes	"Locality" (Locality)	"Issued City"
0x2019	0x4	8192 bytes	"State" (State)	"Issued State"
0x201a	0x4	8192 bytes	"Title" (Title)	"Issued Title"
0x201b	0x4	8192 bytes	"GivenName" (Given_Name)	"Issued First Name"
0x201c	0x4	8192 bytes	"Initials" (Initials)	"Issued Initials"
0x201d	0x4	8192 bytes	"SurName" (SurName)	"Issued Last Name"
0x201e	0x4	8192 bytes	"DomainComponent" (Domain_Component)	"Issued Domain Component"
0x201f	0x4	8192 bytes	"EMail" (Email)	"Issued Email address"
0x2020	0x4	8192 bytes	"StreetAddress" (Street_Address)	"Issued Street Address"
0x2021	0x4	8192 bytes	"UnstructuredName" (Unstructured_Name)	"Issued Unstructured Name"
0x2022	0x4	8192 bytes	"UnstructuredAddress" (Unstructured_Address)	"Issued Unstructured Address"
0x2023	0x4	8192 bytes	"DeviceSerialNumber" (Device_Serial_Number)	"Issued Device Serial Number"

* These database columns are available in Windows Server 2012 R2 and later.

Extension Tables

The following table details the Extension table for Windows 2000 Server and later.

Column identifier	Data type	Maximum size of data	Column name	Column display name
0x4000	0x1001	4 bytes	"ExtensionRequestId" (Extension_Request_ID)	"Extension Request Id"
0x4001	0x4	254 bytes	"ExtensionName" (Extension_Name)	"Extension Name"
0x4002	0x1	4 bytes	"ExtensionFlags" (Extension_Flags)	"Extension Flags"
0x4003	0x3	4096 bytes	"ExtensionRawValue" (Extension_Raw_Value)	"Extension Raw Value"

Attribute Tables

The following table details the Attribute table for Windows 2000 Server and later.

Column identifier	Data type	Maximum size of data	Column name	Column display name
0x3000	0x10001	4 bytes	"AttributeRequestId" (Attribute_Request_ID)	"Attribute Request Id"
0x3001	0x4	254 bytes	"AttributeName" (Attribute_Name)	"Attribute Name"
0x3002	0x4	8192 bytes	"AttributeValue" (Attribute_Value)	"Attribute Value"

Column identifier

Data type

Maximum size of data

Column name

Column display name

0x3000

0x10001

4 bytes

"AttributeRequestId"

(Attribute_Request_ID)

"Attribute Request Id"

0x3001

0x4

254 bytes

"AttributeName"

(Attribute_Name)

"Attribute Name"

0x3002

0x4

8192 bytes

"AttributeValue"

(Attribute_Value)

"Attribute Value"

CRL Tables

The following table details the CRL table for Windows Server 2003 and later. (Windows 2000 Server does not have a CRL table.)

Column identifier	Data type	Maximum size of data	Column name (ADM element)	Column display name
0x5000	0x10001	4 bytes	CRLRowId (CRL_Row_ID)	"CRL Row ID"
0x5001	0x10001	4 bytes	"CRLNumber" (CRL_Number)	"CRL Number"
0x5002	0x1	4 bytes	"CRLMinBase" (CRL_Min_Base)	"CRL Minimum Base"
0x5003	0x1	4 bytes	"CRLNameId" (CRL_Name_Id)	"CRL Name ID"
0x5004	0x1	4 bytes	"CRLCount" (CRL_Count)	"CRL Count"
0x5005	0x2	8 bytes	"CRLThisUpdate" (CRL_This_Update)	"CRL This Update"
0x5006	0x10002	8 bytes	"CRLNextUpdate" (CRL_Next_Update)	"CRL Next Update"
0x5007	0x2	8 bytes	"CRLThisPublish" (CRL_This_Publish)	"CRL This Publish"
0x5008	0x10002	8 bytes	"CRLNextPublish" (CRL_Next_Publish)	"CRL Next Publish"
0x5009	0x2	8 bytes	"CRLEffective" (CRL_Effective)	"CRL Effective"
0x500a	0x10002	8 bytes	"CRLPropagationComplete" (CRL_Propagation_Complete)	"CRL Propagation Complete"
0x500b	0x10002	8 bytes	"CRLLastPublish" (CRL_Last_Published)	"CRL Last Published"
0x500c	0x10001	4 bytes	"CRLPublishAttempts" (CRL_Publish_Attempts)	"CRL Publish Attempts"
0x500d	0x1	4 bytes	"CRLPublishFlags" (CRL_Publish_Flags)	"CRL Publish Flags"
0x500e	0x10001	4 bytes	"CRLPublishStatusCode" (CRL_Publish_Status_Code)	"CRL Publish Status Code"
0x500f	0x4	8192 bytes	"CRLPublishError" (CRL_Publish_Error)	"CRL Publish Error Information"
0x5010	0x3	536870912 bytes	"CRLRawCRL" (CRL_Raw_CRL)	"CRL Raw CRL"

<5> Section 3.1.1.1.1: Windows uses a DWORD number to represent these values. The following table shows how Windows internal values correspond to the preceding string representations.

Windows value	Abstract data model value
CR_DISP_ERROR 0x00000001	Request failed
CR_DISP_DENIED 0x00000002	Request denied
CR_DISP_ISSUED 0x00000003	Certificate issued
CR_DISP_UNDER_SUBMISSION 0x00000005	Request pending
CR_DISP_REVOKED 0x00000006	Certificate revoked

<6> Section 3.1.1.1.2: These flags are supported in Windows Server 2012 R2 and later.

<7> Section 3.1.1.1.2: Request_RequesterName_From_Old_Certificate is supported in Windows Server 2008 R2 and later.

<8> Section 3.1.1.4: Windows 2000 Server and later CAs store this CRL in the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs.

<9> Section 3.1.1.7: The permissions of Officer, Operator, and Auditor are supported on Windows Server 2003 Enterprise Edition operating system, Windows Server 2003 Datacenter Edition operating system, Windows Server 2008 Enterprise operating system, Windows Server 2008 Datacenter operating system, Windows Server 2008 R2 Enterprise Edition, Windows Server 2008 R2 Datacenter Edition, and Windows Server 2012 and later.

<10> Section 3.1.1.8: The Microsoft CA keeps all CRL publishing locations in a registry multistring value.

              
                   HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
 {CA Name}\CRLPublicationURLs

The Microsoft CA uses a numeric prefix that is stored with each entry of the CRL publishing location list in order to indicate which of the ADM elements the URL belongs to, as shown in the following table.

Numeric prefix value	ADM element
0x00000001	Config_CA_CDP_Publish_To_Base
0x00000040	Config_CA_CDP_Publish_To_Delta
0x00000008	Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension
0x00000004	Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension
0x00000080	Config_CA_CDP_Include_In_CRL_IDP_Extension

Calling the ICertAdminD2::SetConfigEntry method with the pwszNodePath as an EMPTY string, the pwszEntry "CRLPublicationURLs", and the pVariant data that contains the required URLs allows manipulation of this list.

Also, the usual registry manipulation tools that are specified in [MS-RRP] can be used to update these values.

For Config_CA_CDP_Publish_To_Base and Config_CA_CDP_Publish_To_Delta, the default values that are used by the Microsoft CA are a local path on the CA machine,

              
                   {SYSTEM}\CertSrv\CertEnroll\{CATruncatedName}{CRLNameSuffix}
 {DeltaIndicator}.crl

a local path in the registry,

              
                   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\

and the Active Directory path,

              
                   
 ldap: ///CN={CATruncatedName}{CRLNameSuffix},CN={CAServerShortName},
 CN=CDP,CN=Public Key 
 Services,CN=Services,CN=Configuration,DC={contoso},DC=com{CDPObjectClass}

where:

"{SYSTEM}" is replaced with the system directory of the CA machine, such as "C:\Windows\System32".
"{CATruncatedName}" is replaced with the sanitized name of the CA, as defined in [MS-WCCE] sections 1.3.2.5 and 3.1.1.4.1.1.
"{DeltaIndicator}" is replaced with NULL for a base CRL and "+" for a delta CRL.
"{CRLNameSuffix}" is replaced with NULL if the CRL is signed by the first CA key (a CA key that has a key index of 0) and by "(n)" if the CRL is signed by any subsequent CA key.

Where "(n)" is replaced with an integer that is equal to the identifier Signing_Private_Key_Version_ID, as defined in [MS-WCCE] section 3.2.1.1.2 and in the example in [MS-WCCE] section 3.2.1.4.3.2.34.
"{CAServerShortName}" is replaced with the name of the host on which the CA is running.
"DC={contoso},DC=com" is replaced by the distinguished name (DN) of the forest root domain naming context (NC) of the Active Directory forest in which the Microsoft CA is installed.
- The forest root domain NC is defined in [MS-ADTS] section 1.1.
- For example, the DN of the forest root domain NC of a forest called "corp.contoso.com" would be "DC=corp,DC=contoso,DC=com".
"{CDPObjectClass}" is replaced with "?certificateRevocationList?base?objectClass=cRLDistributionPoint" for a base CRL and with "?deltaRevocationList?base?objectClass=cRLDistributionPoint" for a delta CRL.
- The object class cRLDistributionPoint is as defined in [MS-ADSC].
- The attribute certificateRevocationList is defined in [MS-ADA1].
- The attribute deltaRevocationList is defined in [MS-ADA1].

The deltaRevocationList attribute is not used by the Windows 2000 operating system version of the CA. The Windows Server 2003 and later versions of the CA use both base CRL and delta CRL attributes.

Within the certificateRevocationList or deltaRevocationList attribute, the CRL is encoded by using Distinguished Encoding Rules (DER).

<11> Section 3.1.1.10: Microsoft CAs persist only a subset of the configuration data. They store the configuration data in the registry in the following locations:

Values under

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\

DBSessionCount

ADM Datum: Config_Max_Number_Of_AD_Connections and OnNextRestart_Config_Max_Number_Of_AD_Connections.

Registry Value Type: REG_DWORD

Default Value: 20

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value. The minimum value for this registry is 4 and the maximum value is 1024.

No Value Semantics: The value always exists.

LDAPFlags

ADM Datum: Config_CA_LDAP_Flags and OnNextRestart_Config_CA_LDAP_Flags.

Registry Value Type: REG_DWORD

Default Value: 0

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: The value always exists.

Version

ADM Datum: Config_Product_Version and OnNextRestart_Config_Product_Version

Registry Value Type: REG_DWORD

Default Value: By default, the value depends on the Windows version:

0x00010001: Windows 2000 Server
0x00020002: Windows Server 2003
0x00030001: Windows Server 2008
0x00040001: Windows Server 2008 R2
0x00050001: Windows Server 2012
0x00050001: Windows Server 2012 R2 without [MSKB-3013769]
0x00060001: Windows Server 2012 R2 with [MSKB-3013769]
0x00070001: Windows Server 2016 or Windows Server 2019

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: The value always exists.

Values under

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_CN>

where <CA_CN> is replaced with the common name (CN) of the CA. The values are as follows:

ConfigurationDirectory

ADM Datum: Config_Configuration_Directory (defined in [MS-WCCE]).

Registry Value Type: REG_SZ

Default Value: By default, the value does not exist.

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: The CA does not implement Config_Configuration_Directory datum (for details, see section 3.2.1.4.3.2.8).

ParentCAMachine

ADM Datum: Config_CA_Parent_DNS (defined in [MS-WCCE]).

Registry Value Type: REG_SZ

Default Value: By default, the value does not exist for the root CA. For the subordinate CA, the value is set to the FQDN of the machine where the parent CA is installed.

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: The CA does not have a parent CA.

RoleSeparationEnabled

ADM Datum: Config_CA_Role_Separation (defined in [MS-WCCE]).

Registry Value Type: REG_DWORD

Default Value: The value does not exist by default.

Registry Value Mapping to ADM: If the value in the registry is zero, the ADM datum is set to false. For any nonzero registry value, ADM datum is set to true.

No Value Semantics: Same as setting the value to zero.

CAXchgCertHash

ADM Datum: Config_CA_Exchange_Cert (defined in [MS-WCCE]).

Registry Value Type: REG_MULTI_SZ

Default Value: None.

Registry Value Mapping to ADM: Each value is an SHA-1 hash of the corresponding CA exchange certificate. The actual exchange certificates are stored in the Request table.

No Value Semantics: There are no CA exchange certificates configured on the server.

CACertPublicationURLs

ADM Datum: Multiple, see Registry Value Mapping to ADM.

Registry Value Type: REG_MULTI_SZ

Default Value:

1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt

3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11

2:http://%1/CertEnroll/%1_%3%4.crt

0:file://%1/CertEnroll/%1_%3%4.crt

Registry Value Mapping to ADM: The string format for each string in the list is

Where the <Numeric Prefix Value> is a binary OR of the values in the following table and is represented as a decimal value. And where <Some Path> is a string that is composed of literal strings and wild cards, that is defined in the following tables, and that represents an HTTP, FILE, or LDAP URL), or a UNC path.

Numeric prefix value	ADM element
0x00000001	Config_CA_CACert_Publish_To and OnNextRestart_Config_CA_CACert_Publish_To. The CA publishes its signing certificate to this location.
0x00000002	Config_CA_AIA_Include_In_Cert and OnNextRestart_Config_CA_AIA_Include_In_Cert.
0x00000020	Config_CA_OCSP_Include_In_Cert and OnNextRestart_Config_CA_OCSP_Include_In_Cert.

Wild card	Meaning
%1	The NetBIOS name of the server on which the CA is installed.
%2	The FQDN of the server on which the CA is installed.
%3	The name of the CA.
%4	The certificate file name suffix that corresponds to the key index for the CA signing key.
%6	The DN name of the configuration container.
%7	The truncated name of the CA.
%11	The class name for the AD object of the CA.

No Value Semantics: The ADMs that correspond to the prefixes are empty.

CRLPublicationURLs

ADM Datum: Multiple, see Registry Value Mapping to ADM.

Registry Value Type: REG_MULTI_SZ

Default Value:

65:E:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl

79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10

6:http://%1/CertEnroll/%3%8%9.crl

0:file://%1/CertEnroll/%3%8%9.crl

Registry Value Mapping to ADM: The string format for each string in the list is:

Where the <Numeric Prefix Value> is a binary OR of the values in the following table and is represented as a decimal value. And <Some Path> is a string that is composed of literal strings and wild cards, that is defined in the following tables, and that represents an HTTP, FILE, or LDAP URL, or a UNC path.

Numeric prefix value	ADM element
0x00000001	Config_CA_CDP_Publish_To_Base and OnNextRestart_Config_CA_CDP_Publish_To_Base
0x00000002	Config_CA_CDP_Include_In_Cert and OnNextRestart_Config_CA_CDP_Include_In_Cert
0x00000040	Config_CA_CDP_Publish_To_Delta and OnNextRestart_Config_CA_CDP_Publish_To_Delta
0x00000008	Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension and OnNextRestart_Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension
0x00000004	Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension and OnNextRestart_Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension
0x00000080	Config_CA_CDP_Include_In_CRL_IDP_Extension and OnNextRestart_Config_CA_CDP_Include_In_CRL_IDP_Extension

Wild card	Meaning
%1	The FQDN of the server on which the CA is installed.
%2	The NetBIOS name of the server on which the CA is installed.
%3	The name of the CA.
%4	The certificate name.
%6	The DN name of the configuration container.
%7	The truncated name of the CA.
%8	The signing key identifier, which is enclosed in (), of the CA.
%9	Append + character suffix.
%10	The AD CRL and delta CRL object class.
%11	The class name for the AD object of the CA.

EnrollmentAgentRights

ADM Datum: Config_Permissions_Enrollment_Agent_Rights (defined in [MS-WCCE]).

Registry Value Type: REG_BINARY

Default Value: None.

Registry Value Mapping to ADM: A binary security descriptor that is defined in section 2.2.1.11.

No Value Semantics: No Enrollment Agent permissions are defined.

OfficerRights

ADM Datum: Config_Permissions_Officer_Rights (defined in [MS-WCCE]).

Registry Value Type: REG_BINARY

Default Value: None.

Registry Value Mapping to ADM: A binary security descriptor that is defined in section 2.2.1.11.

No Value Semantics: No Officer permissions are defined.

Security

ADM Datum: Config_Permissions_CA_Security (defined in [MS-WCCE]), and OnNextRestart_Config_Permissions_CA_Security

Registry Value Type: REG_BINARY

Default Value:

Standalone CA
- Builtin Administrators – Owner, Group, Administrator, Officer
- Everyone: Enroll
Enterprise CA
- Builtin Administrators – Owner, Group, Administrator, Officer
- Domain Administrators – Administrator, Officer
- Enterprise Administrators – Administrator, Officer
- Authenticated Users – Enroll

Registry Value Mapping to ADM: A binary security descriptor with permissions that are defined as follows.

Permission	Bit value
Read	0x00000100
Enroll	0x00000200
Officer	0x00000002
Administrator	0x00000001
Auditor	0x00000004
Operator	0x00000008

No Value Semantics: None defined.

AuditFilter

ADM Datum: Config_CA_Audit_Filter and OnNextRestart_Config_CA_Audit_Filter

Registry Value Type: REG_DWORD

Default Value: None.

Registry Value Mapping to ADM: Specified in section 3.1.4.2.10.

No Value Semantics: No auditing occurs.

CAType

ADM Datum: Config_CA_Type and OnNextRestart_Config_CA_Type

Registry Value Type: REG_DWORD

Default Value: None.

Provisioning: Populated by the CA installation, based upon a selection made by the administrator.

Registry Value Mapping to ADM:

ENUM_ENTERPRISE_ROOTCA = 0x00000000
ENUM_ENTERPRISE_SUBCA = 0x00000001
ENUM_STANDALONE_ROOTCA = 0x00000003
ENUM_STANDALONE_SUBCA = 0x00000004

No Value Semantics: Value always present.

CommonName

ADM Datum: Config_CA_Common_Name and OnNextRestart_Config_CA_Common_Name

Registry Value Type: REG_SZ

Default Value: None.

Provisioning: Populated by the CA installation, based upon a selection made by the administrator.

Registry Value Mapping to ADM: Value is set to installed CA name.

No Value Semantics: Value always present.

CRLDeltaNextPublish

ADM Datum: Config_CA_CRL_Delta_Next_Publish and OnNextRestart_Config_CA_CRL_Delta_Next_Publish

Registry Value Type: REG_BINARY

Default Value: Installed filetime plus 1 day.

Registry Value Mapping to ADM: Specified in section 3.1.4.2.14.

No Value Semantics: Value always present is re-created based on calculations specified in section 3.1.4.1.6.

CRLNextPublish

ADM Datum: Config_CA_CRL_Next_Publish and OnNextRestart_Config_CA_CRL_Next_Publish

Registry Value Type: REG_BINARY

Default Value: Installed filetime plus 1 week.

Registry Value Mapping to ADM: Specified in section 3.1.4.2.14.

No Value Semantics: Value is re-created based on calculations specified in section 3.1.4.1.6.

CRLDeltaPeriod and CRLDeltaPeriodUnits

ADM Datum: Config_Delta_CRL_Validity_Period

Registry Value Type: CRLDeltaPeriod is REG_SZ, and CRLDeltaPeriodUnits is REG_DWORD

Default Value: CRLDeltaPeriodUnits = 1; CRLDeltaPeriod = "Days"

Registry Value Mapping to ADM: CRLDeltaPeriod contains the string representation of the "periods of time" in which the Config_Delta_CRL_Validity_Period is expressed. Valid values are Seconds, Minutes, Hours, Days, Weeks, or Months. CRLDeltaPeriodUnits contains the number of those periods of time. For example, see "Default Value" above.

No Value Semantics: Hardcoded default values equal to "Default Value", above, are used

CRLPeriod and CRLPeriodUnits

ADM Datum: Config_Base_CRL_Validity_Period

Registry Value Type: CRLPeriod is REG_SZ, and CRLPeriodUnits is REG_DWORD.

Default Value: CRLPeriodUnits = 1; CRLPeriod = "Weeks".

Registry Value Mapping to ADM: CRLPeriod contains the string representation of the "periods of time" in which the Config_Base_CRL_Validity_Period is expressed. Valid values are Seconds, Minutes, Hours, Days, Weeks, or Months. CRLPeriodUnits contains the number of those periods of time. For example, see "Default Value" above.

No Value Semantics: Hardcoded default values equal to "Default Value" above, are used.

HighSerial

ADM Datum: Config_High_Serial_Number, Config_High_Serial_String, OnNextRestart_Config_High_Serial_Number, and OnNextRestart_Config_High_Serial_String

Registry Value Type: REG_DWORD

Default Value: The value does not exist by default. It is created manually using registry methods.

Registry Value Mapping to ADM: Defined in [MS-WCCE] section 3.2.1.4.2.1.4.6.

No Value Semantics: Same as registry value of 0.

InterfaceFlags

ADM Datum: Config_CA_Interface_Flags and OnNextRestart_Config_CA_Interface_Flags.

Registry Value Type: REG_DWORD

Default Value: 0x41

Registry Value Mapping to ADM: Defined in section 3.1.4.2.14.

No Value Semantics: No interface flags in effect.

KRAFlags

ADM Datum: Config_CA_KRA_Flags and OnNextRestart_Config_CA_KRA_Flags.

Registry Value Type: REG_DWORD

Default Value: 0

Registry Value Mapping to ADM: Defined in section 3.1.4.2.14.

No Value Semantics: No KRA flags in effect.

SetupStatus

ADM Datum: Config_Setup_Status and OnNextRestart_Config_Setup_Status.

Registry Value Type: REG_DWORD

Default Value: By default, for a complete CA installation, the value is 1.

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: Value always present.

SubjectTemplate

ADM Datum: Config_CA_DN_Order_String

Registry Value Type: REG_MULTI_SZ

Default Value: Email

CommonName

OrganizationalUnit

Organization

Locality

State

DomainComponent

Country

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: Value always present.

CRLDeltaOverlapPeriod and CRLDeltaOverlapUnits

ADM Datum: Config_Delta_CRL_Overlap_Period

Registry Value Type: CRLDeltaOverlapPeriod is REG_SZ, and CRLDeltaOverlapUnits is REG_DWORD.

Default Value: CRLDeltaOverlapUnits = 0; CRLDeltaOverlapPeriod = "Minutes".

Registry Value Mapping to ADM: CRLDeltaOverlapPeriod contains the string representation of the "periods of time" in which the Config_Delta_CRL_Overlap_Period is expressed. Valid values are Seconds, Minutes, Hours, Days, Weeks, or Months. CRLDeltaOverlapUnits contains the number of those periods of time. For example, see "Default Value" above.

No Value Semantics: Hardcoded default values equal to "Default Value", above, are used.

CRLOverlapPeriod and CRLOverlapUnits

ADM Datum: Config_Base_CRL_Overlap_Period

Registry Value Type: CRLOverlapPeriod is REG_SZ, and CRLOverlapUnits is REG_DWORD.

Default Value: CRLOverlapUnits = 0; CRLOverlapPeriod = "Hours"

Registry Value Mapping to ADM: CRLOverlapPeriod contains the string representation of the "periods of time" in which the Config_Base_CRL_Overlap_Period is expressed. Valid values are Seconds, Minutes, Hours, Days, Weeks, or Months. CRLOverlapUnits contains the number of those periods of time. For example, see "Default Value" above.

No Value Semantics: Hardcoded default values equal to "Default Value", above, are used.

CRLAttemptRepublish

ADM Datum: OnNextRestart_Config_CA_CRL_Attempt_Republish

Registry Value Type: REG_DWORD

Default Value: By default the element is absent. Windows instantiates the value upon the first unsuccessful CRL publishing attempt per the processing rules in section 3.1.4.1.6.

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: Same as value of 0.

Maximum Value: 10

KRACertCount

ADM Datum: Config_CA_KRA_Cert_Count

Registry Value Type: REG_DWORD

Default Value: 0

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: No KRA certificates available for encryption.

KRACertHash

ADM Datum: Config_CA_KRA_Cert_List

Registry Value Type: REG_MULTI_SZ

Default Value: Empty by default.

Registry Value Mapping to ADM: Each of the multiple values in the registry is the hash of one of the KRA certificates in the list.

No Value Semantics: No KRA certificates available for encryption.

UseDS

ADM Datum: Config_CA_Use_DS and OnNextRestart_Config_CA_Use_DS

Registry Value Type: REG_DWORD

Default Value: For an enterprise CA (Config_CA_Type of 0 or 1), the value is 1. For a standalone CA (Config_CA_Type of 3 or 4), the value is 0.

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: Value always present.

CNGHashAlgorithm

ADM Datum: Config_CSP_CNG_Hash_Algorithm and OnNextRestart_Config_CSP_CNG_Hash_Algorithm

Registry Value Type: REG_SZ

Default Value: None

Provisioning: If the administrator has selected a CNG provider as the Config_CSP_Provider, this value is populated by the CA installation, based upon another selection made by the administrator. If the administrator has selected a CryptoAPI CSP as the Config_CSP_Provider, this value is provisioned with no value (null).

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: If there is no Config_CSP_CNG_Hash_Algorithm value, then this means the CA uses a CryptoAPI CSP and not a CNG provider. In this case, Config_CSP_Hash_Algorithm will contain the identifier of the CA hash algorithm.

HashAlgorithm

ADM Datum: Config_CSP_Hash_Algorithm and OnNextRestart_Config_CSP_Hash_Algorithm

Registry Value Type: REG_DWORD

Default Value: None

Provisioning: If the administrator has selected a CryptoAPI CSP as the Config_CSP_Provider, this value is populated by the CA installation, based upon another selection made by the administrator. If the administrator has not selected a CryptoAPI CSP as the Config_CSP_Provider, this value is initialized to 0xffffffff.

Registry Value Mapping to ADM: The value in the registry is either 0xffffffff or the algid (algorithm identifier) that corresponds to the hash algorithm used by the CA.

0xffffffff – no value. The CA has been installed with a CNG provider, so Config_CSP_CNG_Hash_Algorithm contains the name of the CA hash algorithm.

Algids of supported hash algorithms are as follows:

MD2 0x8001

MD5 0x8003

SHA1 0x8004

SHA256 0x8012

SHA384 0x8013

SHA512 0x8014

No Value Semantics: The element always exists.

Provider

ADM Datum: Config_CSP_Provider and OnNextRestart_Config_CSP_Provider

Registry Value Type: REG_SZ

Default Value: Populated by the CA installation, based upon a selection made by the administrator.

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: Element always exists.

Values under:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_CN>\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RequestDisposition

where <CA_CN> is replaced with the common name (CN) of the CA. The values are as follows:

RequestDisposition

ADM Datum: OnNextRestart_Config_CA_Requests_Disposition

Registry Value Type: REG_DWORD

Default Value: For an enterprise CA (Config_CA_Type of 0 or 1), the value is 0x00000001. For a standalone CA (Config_CA_Type of 3 or 4), the value is 0x00000101.

Registry Value Mapping to ADM: The value of the registry equals the value of the OnNextRestart_Config_CA_Requests_Disposition datum.

No Value Semantics: The OnNextRestart_Config_CA_Requests_Disposition datum value is set to 0x00000101 (REQDISP_PENDINGFIRST | REQDISP_ISSUE).

ProviderType

ADM Datum: Config_CSP_ProviderType and OnNextRestart_Config_CSP_ProviderType

Registry Value Type: REG_DWORD

Default Value: Populated by the CA installation based upon the selection of Provider made by the administrator. A value of 0 means the provider is a CNG provider. A nonzero value means the provider is a legacy CryptoAPI CSP.

Registry Value Mapping to ADM: The value in the registry equals the ADM datum value.

No Value Semantics: Element always exists.

Values under:

  
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_CN>\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags

where <CA_CN> is replaced with the CN of the CA. The values are as follows:

EditFlags

ADM Datum: Multiple, see Registry Value Mapping to ADM.

Registry Value Type: REG_DWORD

Default Value: The flags that are defined here for this value are not set by default.

Registry Value Mapping to ADM: 0x00000020 – If this bit is set, Config_CA_Accept_Request_Attributes_ValidityTime (defined in [MS-WCCE]) is set to true. Otherwise, it is set to false.

0x00008000 – If this bit is set, Config_CA_Accept_Request_Attributes_Extensions (defined in [MS-WCCE]) is set to true. Otherwise, it is set to false.

0x00040000 – If this bit is set, Config_CA_Accept_Request_Attributes_SAN (defined in [MS-WCCE]) is set to true. Otherwise, it is set to false.

0x00080000 – If this bit is set, Config_AD_Connection_Referral (defined in [MS-WCCE]) is set to true. Otherwise, it is set to false

0x02000000 – If this bit is set, Config_CA_Allow_RenewOnBehalfOf_Requests is set to true.

No Value Semantics: All ADM elements that are controlled by this value are set to false.

Values under:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_CN>\CRLFlags

where <CA_CN> is replaced with the CN of the CA. The values are as follows:

CRLEditFlag

ADM Datum: Config_CA_Accept_Request_Attributes_Other (defined in [MS-WCCE])

Registry Value Type: REG_DWORD

Default Value: The flags that are defined here for this value are not set by default.

Registry Value Mapping to ADM: 0x00010000 – If this bit is set, Config_CA_Accept_Request_Attributes_Other (defined in [MS-WCCE]) is set to true. Otherwise, it is set to false.

No Value Semantics: All ADM elements that are controlled by this value are set to false.

Values under:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_CN>\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\PublishCertFlags

where <CA_CN> is replaced with the CN of the CA. The values are as follows:

PublishCertFlags

ADM Datum: Config_CA_Accept_Request_Attributes_CertPath (defined in [MS-WCCE])

Registry Value Type: REG_DWORD

Default Value: The flags that are defined here for this value are not set by default.

Registry Value Mapping to ADM: 0x00000001 – If this bit is set, Config_CA_Accept_Request_Attributes_CertPath (defined in [MS-WCCE]) is set to true. Otherwise, it is set to false.

No Value Semantics: All ADM elements that are controlled by this value are set to false.

Values under:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_CN>\ExitModules

where <CA_CN> is replaced with the CN of the CA. The values are as follows:

Active

ADM Datum: See "Registry Value Mapping to ADM."

Registry Value Type: REG_MULTI_SZ

Default Value: CertificateAuthority_MicrosoftDefault.Exit

Registry Value Mapping to ADM: The names of the COM classes implementing the ICertExit interface and used as exit algorithms on the CA comprise Config_CA_Exit_Algorithm_Implementation_List and OnNextRestart_Config_CA_Exit_Algorithm_Implementation_List.

The number of entries in this value sets the Config_CA_Exit_Count.

No Value Semantics: No exit algorithms are installed on the CA.

Values under:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_CN>\PolicyModules

where <CA_CN> is replaced with the CN of the CA. The values are as follows:

Active

ADM Datum: Config_CA_Policy_Algorithm_Implementation and OnNextRestart_Config_CA_Policy_Algorithm_Implementation

Registry Value Type: REG_SZ

Default Value: CertificateAuthority_MicrosoftDefault.Policy

Registry Value Mapping to ADM: The registry value contains the name of the COM class that implements the ICertPolicy interface and is used at the policy algorithm on the CA.

No Value Semantics: Unsupported; a Windows CA always has at least one policy module.

<12> Section 3.1.1.10: Config_CA_Allow_RenewOnBehalfOf_Requests is supported by applicable Windows Server releases except Windows 2000 Server, Windows Server 2003, and Windows Server 2008.

<13> Section 3.1.1.10: Added the four new ADM elements that support Certificate Transparency to the Configuration table for Windows Server 2019 and later: Config_CertificateTransparency_Enabled, Config_CertificateTransparency_Disable_SCTList_Validation, Config_CertificateTransparency_Max_SCTList_Size, and Config_CertificateTransparency_Info_Extension_Oid.

<14> Section 3.1.3: The DCOM security descriptor is accessed from the registry location HKLM\SOFTWARE\Microsoft\Ole\:

Value: MachineAccessRestriction
Values added
COM_RIGHTS_EXECUTE | COM_RIGHTS_EXECUTE_LOCAL | COM_RIGHTS_EXECUTE_REMOTE
and
Value: MachineLaunchRestriction
Values added
COM_RIGHTS_EXECUTE | COM_RIGHTS_ACTIVATE_LOCAL | COM_RIGHTS_ACTIVATE_REMOTE
where
COM_RIGHTS_EXECUTE maps to the value of 1
COM_RIGHTS_EXECUTE_LOCAL maps to the value of 2
COM_RIGHTS_EXECUTE_REMOTE maps to the value of 4
COM_RIGHTS_ACTIVATE_LOCAL maps to the value of 8
COM_RIGHTS_ACTIVATE_REMOTE maps to the value of 16

<15> Section 3.1.3: Upon service startup, the Windows CA reads the configuration values from the registry location "HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\".

<16> Section 3.1.4.1: The supported clients are Windows 2000 Professional, Windows XP, Windows Vista with Admin Pack, and Windows 7 and later. The supported servers are Windows 2000 Server and later.

<17> Section 3.1.4.1: In Windows 2000 Server and later, the error is E_ACCESSDENIED (0x80070005).

<18> Section 3.1.4.1: In applicable Windows Server releases, except Windows 2000 Server, the error is E_ACCESSDENIED (0x80070005). Windows 2000 Server does not return an error.

<19> Section 3.1.4.1: The operating systems specified in [MSFT-CVE-2022-37976], each with their related KB article download installed, and the Active Directory Certificate Services elevation of privilege vulnerability mitigation described therein, requires that clients MUST connect with the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level or the connection to the CA server will be denied, regardless of the IF_ENFORCEENCRYPTICERTADMIN (section 3.1.4.2.14) setting.

<20> Section 3.1.4.1: In applicable Windows Server releases, except Windows 2000 Server, the error is E_ACCESSDENIED (0x80070005). Windows 2000 Server does not return an error.

<21> Section 3.1.4.1.3: In Windows Server 2003, the CA places 0x80094004 in the pdwDisposition parameter and returns successfully. In Windows Server 2008 and later, the CAs place 0 in the pdwDisposition parameter and return 0x80094004 as the error code.

<22> Section 3.1.4.1.4: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 set the Request_Status_Code to 0x0 (S_OK).

<23> Section 3.1.4.1.6: In a Windows 2000 CA, CRL creation can be disabled by setting the Config_Base_CRL_Validity_Period to 0. In a Windows 2000 CA, if the Microsoft default exit module "CertificateAuthority_MicrosoftDefault.Exit" is not active (that is, not included in the ADM element Config_CA_Exit_Algorithm_Implementation_List), then no CRLs are published. The setting Config_CA_Exit_Algorithm_Implementation_List has no effect on PublishCRL behavior in Windows Server 2003 and later. If CRLs are disabled, certificates issued by the CA cannot be used for applications that require CRL–based revocation checking.

<24> Section 3.1.4.1.6: The Windows 2000 CA does not have a CRL table; therefore, it does not create or update a CRL table entry.

<25> Section 3.1.4.1.6: The Windows CA uses a default clock skew (Config_CA_Clock_Skew_Minutes) of 10 minutes. The Windows CA defines this value in the registry as follows:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
 \CertSvc\Configuration{CA Name}\ClockSkewMinutes  (REG_DWORD)

<26> Section 3.1.4.1.6: By default, the Config_Base_CRL_Overlap_Period and Config_Delta_CRL_Overlap_Period values are not defined. The Windows CA keeps these overlap periods in the following registry values:

 HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\
 REG_SZ        CRLOverlapPeriod
 REG_DWORD     CRLOverlapPeriodUnits
 REG_SZ        CRLDeltaOverlapPeriod
 REG_DWORD     CRLDeltaOverlapPeriodUnits

<27> Section 3.1.4.1.6: The Windows CA for uses a default clock skew (Config_CA_Clock_Skew_Minutes) of 10 minutes. The Windows CA defines this value in the registry as follows:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration{CA Name}\ClockSkewMinutes  (REG_DWORD)

<28> Section 3.1.4.1.6: Differing from [RFC3280] section 5, a Windows 2000 CA does not populate the CRL number extension.

<29> Section 3.1.4.1.6: A Windows 2000 CA does not create delta CRLs.

<30> Section 3.1.4.1.6: The Windows CA keeps this list of CDP locations in a registry multistring value.

 HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
 {CA Name}\CRLPublicationURLs

A specific protocol method does not exist to manipulate this list. Instead, the Windows CA uses the typical registry manipulation tools.

The default values used by the Windows CA are a local path on the CA machine,

 {SYSTEM}\CertSrv\CertEnroll\

a local path in the registry,

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\

and the Active Directory path,

 ldap: ///CN={CAName}{CRLNameSuffix},CN={CAServerName},CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC={contoso},DC=com

where:

SYSTEM is replaced with the system directory of the CA machine, such as "C:\Windows\System32".
CAName is replaced with the sanitized name of the CA, as defined in [MS-WCCE] sections 1.3.2.5 and 3.1.1.4.1.1.
{CRLNameSuffix} is replaced with NULL if the CRL is signed by the first CA key (CA key with key index 0) and by "(n)" if the CRL is signed by any subsequent CA key, with {n} being an integer equal to the identifier (Signing_Private_Key_Version_ID, as defined in [MS-WCCE] section 3.2.1.1.3) of the CA certificate private key.
CAServerName is replaced with the name of the host on which the CA is running.
DC={contoso},DC=com is replaced with the name space of the Active Directory domain in which the Windows CA is installed.

<31> Section 3.1.4.1.6: For the Windows CA, the error code will be in the form of a 2-byte WIN32 error code (as specified in [MS-ERREF] section 2.2), such as 0x2098, which means "Insufficient access rights to perform the operation". This will then be converted to an HRESULT (4 byte) error code (as specified in [MS-ERREF] section 2.1), such as 0x80072098. Note that the first 2 bytes, the "0x8007" portion of the HRESULT value, have nothing to do with the error condition and are determined by the Severity and Facility bits, as defined in [MS-ERREF] section 2.1.

<32> Section 3.1.4.1.6: The Windows CA publishes CRLs to LDAP paths in Active Directory as follows:

The path the server expects is

 ldap: ///CN={CAName}{CRLNameSuffix},CN={CAServerShortName},CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC={contoso},DC=com{CDPObjectClass}

where:

"{CAName}" is replaced with the sanitized name of the CA, as defined in [MS-WCCE] sections 1.3.2.5 and 3.1.1.4.1.1.

"{DeltaIndicator}" is replaced with NULL for a base CRL and "+" for a delta CRL.

"{CRLNameSuffix}" is replaced with NULL if the CRL is signed by the first CA key (CA key with key index 0) and by "(n)" if the CRL is signed by any subsequent CA key.

where "n" is replaced with an integer equal to the identifier (Signing_Private_Key_Version_ID, as defined in [MS-WCCE] section 3.2.1.1.2) of the CA certificate private key.

"{CAServerName}" is replaced with the name of the host on which the CA is running.

"DC={contoso},DC=com" is replaced with the DN of the forest root domain naming context (NC) of the Active Directory forest in which the Microsoft CA is installed.

The forest root domain NC is defined in section 1.1 of [MS-ADTS].

For example, the DN of the forest root domain NC of a forest called "corp.contoso.com" is "DC=corp,DC=contoso,DC=com".

{CDPObjectClass} is replaced with "?certificateRevocationList?base?objectClass=cRLDistributionPoint" for a base CRL and with "?deltaRevocationList?base?objectClass=cRLDistributionPoint" for a delta CRL.

The object class cRLDistributionPoint is as defined in [MS-ADSC]. The attribute certificateRevocationList is defined in [MS-ADA1].

The attribute deltaRevocationList is defined in [MS-ADA1].

The deltaRevocationList attribute is not used by the Windows 2000 version of the CA. The Windows Server 2003 and later versions of the CA use both base CRL and delta CRL attributes.

Within the certificateRevocationList or deltaRevocationList attribute, the CRL is encoded by using DER.

For any ldap:/// write operation, if the LDAP write operation returns an error that indicates the LDAP server is down or otherwise unavailable, CAs on all applicable Windows Server releases, except in the case of Windows 2000 Server, will attempt to rebind (create a new LDAP handle) and retry another LDAP write. The Windows CA in Windows 2000 does not perform LDAP handle caching and a single retry with a new LDAP handle.

<33> Section 3.1.4.1.6: CAs on applicable Windows Server releases, with the exception of a Windows 2000 CA, will perform this one-time retry logic for LDAP if the LDAP call returns one of the following ldap error codes: LDAP_SERVER_DOWN (0x51), or LDAP_UNAVAILABLE (0x34), or LDAP_TIMEOUT (0x55). The Windows 2000 CA does not perform this one-time LDAP retry logic.

<34> Section 3.1.4.1.6: The Windows 2000 CA does not have a CRL table. Therefore, it does not create or update data elements for a CRL table.

<35> Section 3.1.4.1.7: The Windows 2000 CA retrieves the most recent base CRL from the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\. The Windows Server 2003 and later versions of the CA retrieve the most recent base CRL (CRLRawCRL) from the CRL table.

<36> Section 3.1.4.1.8: Windows allows serial numbers longer than 20 octets.

<37> Section 3.1.4.1.8: The parameter value 0xfffffffd is valid for CAs on applicable Windows Server releases, with the exception of Windows 2000 Server and Windows Server 2003. If this value is used on a Windows Server 2003 CA, the CA fails with return code ERROR_INVALID_PARAMETER (0x80070057).

<38> Section 3.1.4.1.8: The parameter value 0xfffffffe is valid for CAs on applicable Windows Server releases, with the exception of Windows 2000 Server and Windows Server 2003. If this value is used on a Windows Server 2003 CA, the CA fails with return code ERROR_INVALID_PARAMETER (0x80070057).

<39> Section 3.1.4.1.10: All applicable Windows Server releases, with the exception of Windows 2000 Server, send the column identifiers as the following DWORD array.

              
 {0x00001000, 0x00001010, 0x0000100b, 0x00001008, 0x0000100a, 
  0x00002003, 0x0000101a, 0x00001022, 0x00001019, 0x00001018, 
  0x0000101b,0x0000101c, 0x00001017, 0x00001001}

These identifiers correspond to the following columns in the Request table:

"Request.RequestID", "Request.RequesterName", "Request.SubmittedWhen", "Request.StatusCode", "Request.DispositionMessage", "CertificateTemplate", "Request.CommonName", "Request.EMail", "Request.OrgUnit", "Request.Organization", "Request.Locality", "Request.State", "Request.Country", "Request.RawRequest"

Windows 2000 Server sends the column identifiers as the following DWORD array.

              
 {0x00001000, 0x0000100f, 0x00002004, 0x00002006, 0x00002007, 
  0x00002011, 0x00002019, 0x00002010, 0x0000200f, 0x00002012
  0x00002013, 0x0000200e, 0x00002001}

These identifiers correspond to the following columns in the Request table:

"Request.RequestID", "Request.RequesterName", "SerialNumber", "NotBefore", "NotAfter", "CommonName", "EMail", "OrgUnit", "Organization", "Locality", "State", "Country", "RawCertificate"

<40> Section 3.1.4.1.10: All applicable Windows Server releases, with the exception of Windows 2000 Server, send the column identifiers as the following DWORD array.

              
 {0x00001000, 0x00001010, 0x00002006, 0x00002008, 0x00002009, 
  0x00002003, 0x00002016, 0x0000201e, 0x00002015, 0x00002014, 
  0x00002017, 0x00002018, 0x00002013, 0x00002001}

These identifiers correspond to the following columns in the Request table:

"Request.RequestID", "Request.RequesterName", "SerialNumber", "NotBefore", "NotAfter", "CertificateTemplate", "CommonName", "EMail", "OrgUnit","Organization", "Locality", "State", "Country", "RawCertificate"

Windows 2000 Server sends the column identifiers as the following DWORD array.

 {0x00001000, 0x0000100f, 0x00002004, 0x00002006, 0x00002007, 
  0x00002011, 0x00002019, 0x00002010, 0x0000200f, 0x00002012, 
  0x00002013, 0x0000200e, 0x00002001}

These identifiers correspond to the following columns in the Request table:

"Request.RequestID", "Request.RequesterName", "SerialNumber", "NotBefore", "NotAfter", "CommonName", "EMail", "OrgUnit","Organization", "Locality", "State", "Country", "RawCertificate"

<41> Section 3.1.4.1.10: All applicable Windows Server releases, with the exception of Windows 2000 Server, send the column identifiers as the following DWORD array.

              
 {0x00001000, 0x00001010, 0x0000100b, 0x00001008, 0x0000100a, 
  0x00002003, 0x0000101a, 0x00001022, 0x00001019, 0x00001018, 
  0x0000101b, 0x0000101c, 0x00001017, 0x00001001, }

These identifiers correspond to the following columns in the Request table:

Windows 2000 Server sends the column identifiers as the following DWORD array.

              
 {0x00001000, 0x0000100f, 0x0000100a, 0x00001009, 0x00001017,
  0x0000101f, 0x00001016, 0x00001015, 0x00001018, 0x00001019,
  0x00001014, 0x00001001}

These identifiers correspond to the following columns in the Request table:

"Request.RequestID", "Request.RequesterName", "Request.SubmittedWhen", "Request.DispositionMessage", "Request.CommonName", "Request.EMail", "Request.OrgUnit", "Request.Organization", "Request.Locality", "Request.State", "Request.Country", "Request.RawRequest"

<42> Section 3.1.4.1.10: All applicable Windows Server releases, with the exception of Windows 2000 Server, send the column identifiers as the following DWORD array.

              
 {0x00004000, 0x00004001, 0x00004002, 0x00004003}

These identifiers correspond to the following columns in the Extension table:

"ExtensionRequestId", "ExtensionName", "ExtensionFlags", "ExtensionRawValue"

Windows 2000 Server returns E_INVALIDARG for this value of the iColumnSetDefault parameter.

<43> Section 3.1.4.1.10: All applicable Windows Server releases, with the exception of Windows 2000 Server, send the column identifiers as the following DWORD array.

              
 {0x00003000, 0x00003001, 0x00003002}

These identifiers correspond to the following columns in the Attribute table:

"AttributeRequestId", "AttributeName", "AttributeValue"

Windows 2000 Server returns E_INVALIDARG for this value of the iColumnSetDefault parameter.

<44> Section 3.1.4.1.10: All applicable Windows Server releases, with the exception of Windows 2000 Server, send the column identifiers as the following DWORD array.

              
 {0x00005000, 0x00005001, 0x00005002, 0x00005003, 0x00005004,
  0x00005005, 0x00005006, 0x00005007, 0x00005008, 0x00005009,
  0x0000500a, 0x0000500b, 0x0000500c, 0x0000500d, 0x0000500e,
  0x0000500f, 0x00005010}

These identifiers correspond to the following columns in the CRL table:

"CRLRowId", "CRLNumber", "CrlMinBase", "CRLNameId", "CrlCount", "CRLThisUpdate", "CRLNextUpdate", "CRLThisPublish", "CRLNextPublish", "CRLEffective", "CRLPropagationComplete", "CRLLastPublish", "CRLPublishAttempts", "CRLPublishFlags", "CRLPublishStatusCode", "CRLPublishError", "CRLRawCRL"

Windows 2000 Server returns E_INVALIDARG for this value of the iColumnSetDefault parameter.

<45> Section 3.1.4.1.10: All applicable Windows Server releases, with the exception of Windows 2000 Server, send the column identifiers as the following DWORD array.

              
 {0x00001000, 0x00001010, 0x00002006, 0x00002008, 0x00002009,
  0x00002003, 0x00002016, 0x0000201e, 0x00002015,
  0x00002014, 0x00002017, 0x00002018, 0x00002013, 0x00002001,
  0x0000100d, 0x0000100e, 0x0000100f}

These identifiers correspond to the following columns in the Request table:

"Request.RequestID", "Request.RequesterName", "SerialNumber", "NotBefore", "NotAfter", "CertificateTemplate", "OrgUnit", "DomainComponent", "Organization", "Country", "CommonName", "Locality", "RawName", "RawCertificate", "Request.RevokedWhen", "Request.RevokedEffectiveWhen", "Request.RevokedReason"

Windows 2000 Server returns E_INVALIDARG for this value of the iColumnSetDefault parameter.

<46> Section 3.1.4.1.18: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<47> Section 3.1.4.1.18: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the CA defines local configuration to restrict programmatic access to some backup-related methods from a remote computer.

The Windows CA enforces this restriction based on the value of the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags

Value	Meaning
0x00000000	The CA does not restrict access to the methods listed for the following servers.
0x00000040	The CA restricts access to the methods listed for the following servers.

<48> Section 3.1.4.1.19: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<49> Section 3.1.4.1.19: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the CA defines local configuration to restrict programmatic access to some backup-related methods from a remote computer.

On Windows, the CA enforces this restriction based on the value of the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags

Value	Meaning
0x00000000	The CA does not restrict access to the methods listed for the following servers.
0x00000040	The CA restricts access to the methods listed for the following servers.

<50> Section 3.1.4.1.20: In applicable Windows Server releases, the Windows CA defines local configuration to restrict programmatic access to some backup-related methods from a remote computer.

On Windows, the CA enforces this restriction based on the value of the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags

Value	Meaning
0x00000000	The CA does not restrict access to the methods listed for the following servers.
0x00000040	The CA restricts access to the methods listed for the following servers.

<51> Section 3.1.4.1.20: In Windows Server 2003 the error is ERROR_UNEXPECTED_ERROR (0x8000FFFF). In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<52> Section 3.1.4.1.21: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the CA defines local configuration to restrict programmatic access to some backup-related methods from a remote computer.

On Windows, the CA enforces this restriction based on the value of the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags

Value	Meaning
0x00000000	The CA does not restrict access to the methods listed for the following servers.
0x00000040	The CA does restrict access to the methods listed for the following servers.

<53> Section 3.1.4.1.21: In Windows Server 2003, the error is ERROR_UNEXPECTED_ERROR (0x8000FFFF). In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<54> Section 3.1.4.1.22: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the CA defines local configuration to restrict programmatic access to some backup-related methods from a remote computer.

On Windows, the CA enforces this restriction based upon the value of the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags

Value	Meaning
0x00000000	The CA does not restrict access to the methods listed for the following servers.
0x00000040	The CA restricts access to the methods listed for the following servers.

<55> Section 3.1.4.1.22: In Windows Server 2003, the error is ERROR_UNEXPECTED_ERROR (0x8000FFFF). In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<56> Section 3.1.4.1.23: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the CA defines local configuration to restrict programmatic access to some backup-related methods from a remote computer.

On Windows, the CA enforces this restriction based on the value of the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags

Value	Meaning
0x00000000	The CA does not restrict access to the methods listed for the following servers.
0x00000040	The CA restricts access to the methods listed for the following servers.

<57> Section 3.1.4.1.23: In Windows Server 2003, the error is ERROR_UNEXPECTED_ERROR (0x8000FFFF). In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<58> Section 3.1.4.1.24: In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows Server 2003 and Windows 2000 do not return an error.

<59> Section 3.1.4.1.25: In Windows Server 2003, the error is ERROR_UNEXPECTED_ERROR (0x8000FFFF). In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<60> Section 3.1.4.1.25: In all applicable Windows Server releases, with the exception of Windows 2000 Server, the CA defines local configuration to restrict programmatic access to some backup-related methods from a remote computer.

On Windows, the CA enforces this restriction based upon the value of the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags

Value	Meaning
0x00000000	The CA does not restrict access to the methods listed for the following servers.
0x00000040	The CA restricts access to the methods listed for the following servers.

<61> Section 3.1.4.1.26: On Windows, the CA maintains local configuration to allow or prevent the importing of foreign certificates, regardless of the value of dwFlags. The configuration is stored in the registry at the location that is specified in the following code example. If the registry value is set to 1, the ImportCertificate method works as documented. If it is set to 0, the FLAG_ALLOW_IMPORT_FOREIGN flag that is passed as a parameter has no effect, and 0x800b0107 is returned.

              
 HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}
 \KRAFlags (REG_DWORD)

<62> Section 3.1.4.1.26: On Windows, the CA maintains local configuration to allow or prevent the importing of foreign certificates regardless of the value of dwFlags. The configuration is stored in the registry at the location specified in the following code example. If the registry value is set to 1, the ImportCertificate method works as documented. If it is set to 0, the FLAG_ALLOW_IMPORT_FOREIGN flag that is passed as a parameter does not have an effect, and 0x800b0107 is returned.

              
 HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}
 \KRAFlags (REG_DWORD)

<63> Section 3.1.4.1.27: In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows Server 2003 and Windows 2000 do not return an error.

<64> Section 3.1.4.1.28: In Windows Server 2008 and later, the error is E_ACCESSDENIED (0x80070005). Windows Server 2003 and Windows 2000 do not return an error.

<65> Section 3.1.4.2: All Windows client releases are supported with the exception of Windows 2000 Professional. All applicable Windows Server releases are supported, with the exception of Windows 2000 Server.

<66> Section 3.1.4.2: In Windows 2000 and later, the error is E_ACCESSDENIED (0x80070005).

<67> Section 3.1.4.2: The operating systems specified in [MSFT-CVE-2022-37976], each with their related KB article download installed, and the Active Directory Certificate Services elevation of privilege vulnerability mitigation described therein, requires that clients MUST connect with the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level or the connection to the CA server will be denied, regardless of the IF_ENFORCEENCRYPTICERTADMIN (section 3.1.4.2.14) setting.

<68> Section 3.1.4.2: In Windows Server 2003 and later, the error is E_ACCESSDENIED (0x80070005). Windows 2000 does not return an error.

<69> Section 3.1.4.2.1: On Windows, the CA keeps this list in a registry multistring value.

 HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
 {CA Name}\CRLPublicationURLs

A specific protocol method does not exist to manipulate this list. Instead, the Microsoft CA uses typical registry manipulation tools.

The default values that are used by the Microsoft CA are a local path on the CA machine,

 {SYSTEM}\CertSrv\CertEnroll\

a local path in the registry,

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\

and the Active Directory path,

              
 ldap: ///CN={CAName}{index},CN={CAServerName},CN=CDP,
 CN=Public Key Services,CN=Services,CN=Configuration,DC={contoso},DC=com

where:

SYSTEM is replaced with the system directory of the CA machine, such as "C:\Windows\System32".
CAName is replaced with the sanitized name of the CA, as defined in [MS-WCCE] sections 1.3.2.5 and 3.1.1.4.1.1.
{CRLNameSuffix} is replaced with NULL if the CRL is signed by the first CA key (the CA key that has a key index 0) and by "(n)" if the CRL is signed by any subsequent CA key, with {n} being an integer equal to the identifier (Signing_Private_Key_Version_ID, as defined in [MS-WCCE] section 3.2.1.1.3) of the CA certificate private key.
CAServerName is replaced with the name of the host on which the CA is running.
DC={contoso},DC=com is replaced with the namespace of the Active Directory domain in which the Microsoft CA is installed.

<70> Section 3.1.4.2.1: On Windows, the CA keeps this list in the following registry multistring value. Note that the value is the same as that specified in the preceding product behavior note.

 HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
 {CA Name}\CRLPublicationURLs

<71> Section 3.1.4.2.5: This rule applies to a Windows Server 2008 or later CA. In Windows 2000 and Windows Server 2003, a CA will not enforce that cColumn is greater than 0. Rather, when cColumn is equal to zero, it will set pcColumn equal to zero, pctbColumnInfo->cb equal to 0, pctbColumnInfo->pb will point to a zero-length item, and the function will return successfully.

<72> Section 3.1.4.2.14: On Windows, the CA uses subkeys that use the following key as a node path:

  
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_
 CN>

where <CA_CN> is replaced with the CN of the CA.

<73> Section 3.1.4.2.14: On Windows, the CA uses a registry value name under the registry key that is composed by adding the value of the pwszNodePath parameter to the registry key:

  
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_
 CN>

where <CA_CN> is replaced with the CA's common name (CN).

<74> Section 3.1.4.2.14: Windows Server 2012 R2 without [MSKB-3013769] sends 0x00050001, whereas Windows Server 2012 R2 with [MSKB-3013769] sends 0x00060001.

7 Appendix B: Product Behavior

Additional resources