8 Change Tracking
This section identifies changes that were made to this document since the last release. Changes are classified as Major, Minor, or None.
The revision class Major means that the technical content in the document was significantly revised. Major changes affect protocol interoperability or implementation. Examples of major changes are:
A document revision that incorporates changes to interoperability requirements.
A document revision that captures changes to protocol functionality.
The revision class Minor means that the meaning of the technical content was clarified. Minor changes do not affect protocol interoperability or implementation. Examples of minor changes are updates to clarify ambiguity at the sentence, paragraph, or table level.
The revision class None means that no new technical changes were introduced. Minor editorial and formatting changes may have been made, but the relevant technical content is identical to the last released version.
The changes made to this document are listed in the following table. For more information, please contact dochelp@microsoft.com.
-
Section
Description
Revision class
2.1 Transport
Added product behavior note 8 to specify the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level value that clients MUST use for certificate-request and certificate administrative operations, to ensure a connection to the CA server is not denied.
Major
2.2.2.7.7.4 szOID_NTDS_CA_SECURITY_EXT
Created new topic to define the szOID_NTDS_CA_SECURITY_EXT security extension for enhanced security protections. Also added behavior note for operating system applicability to this security extension.
Major
2.3 Directory Service Schema Elements
Added 'objectSid' to the Computer class and User class lists in the Class/Attribute table.
Major
3.1.1.4.3.8 Certificate Requests in Pre-sign flow
11440 : Added top-level section for new Certificate requests in Pre-sign flow sections
Major
3.1.1.4.3.8 Certificate Requests in Pre-sign flow
11440 : Added new top-level section for subsequent subtopics describing how a certificate request can be designated for Pre-sign certificate processing at the server..
Major
3.1.1.4.3.8.1 New Certificate Request for Pre-sign Processing
11440 : Describes how a certificate request can be designated for Pre-sign certificate processing at the server.
Major
3.1.1.4.3.8.1 New Certificate Request for Pre-sign Processing
11440 : Added new section describing how a certificate request can be designated for Pre-sign certificate processing at the server. Includes a behavior note specifying the operating systems that support Pre-sign certificate processing.
Major
3.1.1.4.3.8.2 New Certificate Request After Pre-sign Processing
11440 : Added new section to describe processing at the client after receiving a response for a request with a Pre-sign flag.
Major
3.2.1.1.1.2 Request Table Optional Data Elements
11425 : Added 'Issuer_Name_Id' data element to the optional data elememts request table.
Major
3.2.1.1.4 Configuration List
11440 : Added a flag to the Configuration List table that determines whether Pre-sign processing is enabled at the server. Also added the dummy private key description to the table.
Major
3.2.1.4.2.1 ICertRequestD::Request (Opnum 3)
Added product behavior note70 to specify the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level value that clients MUST use for certificate-request and certificate administrative operations, to ensure a connection to the CA server is not denied.
Major
3.2.1.4.2.1.4.4 Storing Request Parameters in the Request Table
11425 : Added and defined the Issuer_Name_Id data element to the request parameters in the Request Table.
Major
3.2.1.4.2.1.4.10.1 New Certificate Request with Pre-sign flag
11440 : Specified additional processing the CA MUST perform on Certificate Requests with the Pre-sign flag.
Major
3.2.1.4.2.1.4.10.2 New Certificate Request without Pre-sign flag
11440 : Created new section to specify certain processing that the Certificate Authority MUST perform on every new certificate request that does not have the Pre-sign flag set.
Major
3.2.1.4.2.2 ICertRequestD::GetCACert (Opnum 4)
Added product behavior note 82 to specify the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level value that clients MUST use for certificate-request and certificate administrative operations to ensure a connection to the CA server is not denied.
Major
3.2.1.4.2.3 ICertRequestD::Ping (Opnum 5)
Added product behavior note 85 to specify the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level value that clients MUST use for certificate-request and certificate administrative operations to ensure a connection to the CA server is not denied.
Major
3.2.1.4.3.1.1 dwFlags Packed Data Requirements
11440 : Added a B bit to define the setting that indicates to the server that it MUST process the request as a new Pre-sign certificate request.
Major
3.2.1.4.3.2 ICertRequestD2::GetCAProperty (Opnum 7)
Added product behavior note 88 to specify the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level value that clients MUST use for certificate-request and certificate administrative operations to ensure a connection to the CA server is not denied.
Major
3.2.1.4.3.2.16 PropID = 0x00000010 (CR_PROP_CAXCHGCERTCHAIN) "CA Exchange Certificate Chain"
11425 : The CA MUST follow the specified processing rule updates to process a client's request for the CA exchange certificate, its complete chain, and all relevant CRLs; which includes updated instructions for constructing a signed CMS message. Also added product behavior note to initiate a service restart after creating an Exchange Certificate.
Major
3.2.1.4.3.2.33 PropID = 0x00000021 (CR_PROP_CAXCHGCERTCRLCHAIN) "CA Exchange Certificate Chain and CRL"
11425 : The CA MUST follow the specified processing rule updates to process a client's request for the CA exchange certificate, its complete chain, and all relevant CRLs; which includes updated instructions for constructing a signed CMS message. Also added product behavior note to initiate a service restart after creating an Exchange Certificate.
Major
3.2.1.4.3.3 ICertRequestD2::GetCAPropertyInfo (Opnum 8)
Added product behavior note 108 to specify the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level value that clients MUST use for certificate-request and certificate administrative operations to ensure a connection to the CA server is not denied.
Major
3.2.2.1.2.1 Search Requests
Added the attribute 'objectSid' to the list of attributes that the CA should use for an LDAP SearchRequest message.
Major
3.2.2.1.3.1 Search Requests
Added the attribute 'objectSid' to the list of attributes that the CA should use for an LDAP SearchRequest message.
Major
3.2.2.6.2.1.4.4.1 Flags
11414 : Updated the value of the CT_FLAG_DONOTPERSISTINDB flag from 0x00000400 to 0x00001000.
Major
3.2.2.6.2.1.4.5.6 msPKI-Enrollment-Flag
11354 : Updated client processing instructions in table to indicate that the CA MUST also enforce the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag when the conditions specified in new section 3.2.2.6.2.1.4.8, CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT Enforcement Conditions are met. Also revised client processing instructions to specify the conditions under which the subject alternative name (SAN) extension MUST be added to the new certificate being issued.
Major
3.2.2.6.2.1.4.5.9 msPKI-Certificate-Name-Flag
Enhanced the processing instructions to specify that the CA must add the new szOID_NTDS_CA_SECURITY_EXT security extension to the issued certificate when the CT_FLAG_NO_SECURITY_EXTENSION is not set; and to do the same when CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set and the CT_FLAG_NO_SECURITY_EXTENSION is not set.
Major
3.2.2.6.2.1.4.8 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT Enforcement Conditions
11354 : Created new topic to specify the conditions that are required to be met before enforcing the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag, that is, if the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag is set in the template.
Major
3.2.2.6.3.1.1 PropID=0x0000001D (CR_PROP_TEMPLATES) "Configured Certificate Templates"
11512 : Updated string definition ("TemplateName1\nTemplateOID1\nTemplateName2\nTemplateOID2\...) to include a null termination character that ensures consistent results with calls to the GetCATemplates function.
Major