Share via

3.2.1.4.3.2.15.1 Creating a CA Exchange Certificate

  • Article

The CA MUST perform the following steps to create an exchange certificate.

  1. Determine the role of the machine that the CA is running on by performing external behavior consistent with locally invoking DsRolerGetPrimaryDomainInformation (specified in [MS-DSSP] section 3.2.5.1), using the following parameters:

    • Set the hBinding parameter to NULL.

    • Set the InfoLevel parameter to DsRolePrimaryDomainInfoBasic.

      If the MachineRole field of the returned DomainInfo structure is not equal to DsRole_RoleStandaloneWorkstation or DsRole_RoleStandaloneServer, then perform the following steps.

    1. Invoke the "Initialize ADConnection" task ([MS-ADTS] section 7.6.1.1) to construct an ADConnection with the following parameters:

      • TaskInputTargetName: NULL.

      • TaskInputPortNumber: If the value of the Config_CA_LDAP_Flags datum has 0x0000001 (LDAPF_SSLENABLE) bit set, use port 636. Otherwise, use port 389.

    2. Invoke the "Setting an LDAP Option on an ADConnection" task ([MS-ADTS] section 7.6.1.2) once for each of the pairs of option and value parameters in the following table. For each of these, the TaskInputADConnection parameter is the ADConnection handle created in the previous step.

      TaskInputOptionName

      TaskInputOptionValue

      LDAP_OPT_GETDSNAME_FLAGS

      Bitwise OR of the bits D and R, as defined in [MS-NRPC] section 3.5.4.3.1

      LDAP_OPT_REFFERALS

      If Config_AD_Connection_Referral ADM element is FALSE, set to FALSE

      LDAP_OPT_PROTOCOL_VERSION

      2

    3. If the value of the Config_CA_LDAP_Flags datum does not have the 0x0000002 (LDAPF_SIGNDISABLE) bit set and:

      • If after invoking the processing rules that are specified in section 3.2.2.1.6 with input parameter InputADConnectionHandle set equal to ActiveDirectory_Connection, the returned value is TRUE (that is, DC supports signing) set  LDAP_OPT_SIGN to TRUE.

      • Else, if the Config_CA_LDAP_Flags datum does not have the 0x0000001 (LDAPF_SSLENABLE) bit set, return 0x80094013 (CERTSRV_E_DOWNLEVEL_DC_SSL_OR_UPGRADE) to the client and exit.

    4. Invoke the "Performing an LDAP Bind on an ADConnection" task ([MS-ADTS] section 7.6.1.4) with the following parameter:

      TaskInputADConnection: The ADConnection handle generated in the previous step

      If the TaskReturnStatus returned is not 0:

      • Repeat step 1.2 with the following modification:

        • TaskInputOptionName: LDAP_OPT_GETDSNAME_FLAGS

        • TaskInputOptionValue: Bitwise OR of the bits A, D, and R, as defined in [MS-NRPC] section 3.5.4.3.1

      • Repeat this step (1.4). If the TaskReturnStatus returned is not 0, go to step 2.

    5. Obtain the distinguished name for the Certificate Templates Container (section 2.2.2.11.1), as specified in the following steps:

      • Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:

        • TaskInputADConnection: The ADConnection handle generated in the previous step

        • TaskInputRequestMessage: LDAP SearchRequest message (see [RFC2251] section 4.5.1), as follows:

          • baseObject: distinguished name of the rootDSE object as specified in [MS-ADTS] section 3.1.1.3.2.1

          • scope: baseObject

          • filter: (objectCategory=*)

          • attributes: The CA SHOULD use the following attributes:

            • configurationNamingContext

            • defaultNamingContext

          • sizeLimit: 10000

          • timeLimit: 120

          • derefAliases: neverDerefAliases

          • typesOnly: FALSE

        • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.

          If the TaskReturnStatus returned is not 0, go to step 2.

      • Build the distinguished name by concatenating the "CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration" path and the value for configurationNamingContext attribute from the previous step.

    6. Read all objects under the Certificate Templates Container as follows:

      Repeat the previous step with the following modifications:

      • baseObject: distinguished name of the Certificate Templates Container obtained in the previous step.

      • scope: wholeSubtree

      • filter: (objectCategory=pKICertificateTemplate)

      • attributes: The CA SHOULD use the following attributes:

        • cn

        • flags

        • ntSecurityDescriptor

        • revision

        • pKICriticalExtensions

        • pKIDefaultCSPs

        • pKIDefaultKeySpec

        • pKIEnrollmentAccess

        • pKIExpirationPeriod

        • pKIExtendedKeyUsage

        • pKIKeyUsage

        • pKIMaxIssuingDepth

        • pKIOverlapPeriod

        • msPKI-Template-Schema-Version

        • msPKI-Template-Minor-Revision

        • msPKI-RA-Signature

        • msPKI-Minimal-Key-Size

        • msPKI-Cert-Template-OID

        • msPKI-Supersede-Templates

        • msPKI-RA-Policies

        • msPKI-RA-Application-Policies

        • msPKI-Certificate-Policy

        • msPKI-Certificate-Application-Policy

        • msPKI-Enrollment-Flag

        • msPKI-Private-Key-Flag

        • msPKI-Certificate-Name-Flag

          If the TaskReturnStatus returned is not 0, go to step 2.

    7. If a certificate template with a commonName attribute equal to "CAExchange" (case-insensitive comparison) was read in the previous step and CA has the permission to enroll for that template (by invoking the processing rules in Verify End Entity Permissions (section 3.2.2.6.2.1.4.3) with input parameter Input_ntSecurityDescriptor set equal to the ntSecurityDescriptor attribute of the CAExchange certificate template and Input_SID set equal to CA_SID ADM element), create the exchange certificate based on the attribute value processing specified in sections 3.2.2.6.2.1.4.4 and 3.2.2.6.2.1.4.5.

  2. If an exchange certificate wasn't created in previous steps, create it by adding the following fields and extensions:

    1. For the Subject of the exchange certificate, a common name attribute is used with a value the same as the value of the common name attribute in the subject information of the CA signing certificate (Signing_Cert_Certificate datum) and appending "-Xchg" to the value. The Issuer field is filled with the same value as the Subject field of the CA signing certificate (Signing­_Cert_Certificate datum).

    2. Key Usage extension with KeyEncipherment bit enabled. The Key Usage extension is specified in [RFC3280] section 4.2.1.3.

    3. Extended Key Usage extension containing the OID szOID_KP_CA_EXCHANGE (1.3.6.1.4.1.311.21.5) as the KeyPurposeId. The Extended Key Usage extension is specified in [RFC3280] section 4.2.1.13.

    4. Application Policies extension containing the OID szOID_KP_CA_EXCHANGE (1.3.6.1.4.1.311.21.5) as the Application Policy OID. The Application Policies extension is specified in section 2.2.2.7.7.3.

    5. Certificate Template Common Name extension with the value of Name as "CAExchange". Encoding a Certificate Template Common Name Extension is specified in section 2.2.2.7.7.1.

    6. If the CA signing certificate contains a Certificate Policies extension, add this extension with the same value as in the CA signing certificate (Signing_Cert_Certificate datum). The Certificate Policies extension is specified in [RFC3280] section 4.2.1.5.

    7. The Authority Key Identifier extension is added with the same value as the Subject Key Identifier extension in the CA signing certificate (Signing_Cert_Certificate datum). If the Subject Key Identifier extension is not found in the CA signing certificate (Signing_Cert_Certificate datum), then the SHA1 hash of the public key of CA signing certificate (Signing_Cert_Certificate datum) is used as the value for the Authority Key Identifier extension. The Authority Key Identifier extension is specified in [RFC3280] section 4.2.1.1.

    8. The Subject Key Identifier extension is added with the same value as the SHA1 hash of the public key associated with the exchange certificate. The Subject Key Identifier extension is specified in [RFC3280] section 4.2.1.2.

    9. The Authority Information Access extension is added with the same value the CA returns when ICertRequestD2::GetCAProperty is called for PropID of CR_PROP_CERTAIAURLS and propIndex of 0xFFFFFFFF. See section 3.2.1.4.3.2.42 for details on how this value is computed. The Authority Information Access extension is specified in [RFC3280] section 4.2.2.1.

    10. The CRL Distribution Point extension is added with the same value the CA returns when ICertRequestD2::GetCAProperty is called for PropID of CR_PROP_CERTCDPURLS and propIndex of 0xFFFFFFFF. See section 3.2.1.4.3.2.43 for details on how this value is computed. The CRL Distribution Point extension is specified in [RFC3280] section 4.2.1.14.

    11. The value for Valid From field is the date and time when the request for CA exchange certificate was received minus the value of the Config_CA_Clock_Skew_Minutes data. The Valid To field is set to one week later. Valid From and Valid To are specified in [RFC3280] section 4.1.2.5.

    12. The serial number SHOULD be generated as specified in section 3.2.1.4.2.1.4.6 and stored in the Serial Number field. The Serial Number field is specified in [RFC3280] section 4.1.2.2.

    13. The value for the Signature Algorithm field is the name of the signing algorithm configured at the CA. The Signature Algorithm field is specified in [RFC3280] section 4.1.1.2.

    14. The value for the Subject Public Key field is the public key associated with the exchange certificate. The Subject Public Key field is specified in [RFC3280] section 4.1.

  3. Store the created certificate as follows:

    • Store the certificate as an entry in the request table.

    • Add the x.509 certificate to the Store_CA_Exchange_Cert list of certificates and set it as the Current_CA_Exchange_Cert data element value.

    • Delete the list of hash values from the Config_CA_Exchange_Cert datum.

  4. The CA MUST create a new row in the Request table and set the following values:

    • Request_Request_ID: Assign a unique value in this column.

    • Request_Disposition: Assign the value "certificate issued".

    • Request_Raw_Request: Set to empty.

      In addition, the CA SHOULD store the following request parameters in the Request table.

      Column name

      Value

      Request_Raw_Old_Certificate

      Empty

      Request_Request_Attributes

      Empty

      Request_Request_Type

      Empty

      Request_Request_Flags

      0x0000000C (The bitwise OR of CR_FLG_CAXCHGCERT flag and CR_FLG_FORCEUTF8 flag. For more details see [MS-CSRA] section 3.1.1.1.2.)

      Request_Status_Code

      0x00000000 (The operation completed successfully.)

      Request_Submitted_When

      The time the request for CA exchange server was received by the CA.

      Request_Resolved_When

      The time the CA completed the processing for the CA exchange certificate.

      Request_Requester_Name

      The value of CA_Account_Name ADM element.

      Request_Caller_Name

      The value of Per_Request.Caller_Account_Name ADM element.

      Request_Signer_Policies

      Empty

      Request_Signer_Application_Policies

      Empty

      Request_Officer

      Empty

      Request_Distinguished_Name

      The distinguished name (DN) from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Raw_Name

      The Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Country

      The Country attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Organization

      The Organization attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Org_Unit

      The Organizational-Unit attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Common_Name

      The Common Name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Locality

      The Locality attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_State

      The Province name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Title

      The Title attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Given_Name

      The Given Name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Initials

      The Initials attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_SurName

      The Surname attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Domain_Component

      The Domain Component attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Email

      The Email Address attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Street_Address

      The Street Address attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Unstructured_Name

      The Unstructured Name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Unstructured_Address

      The Unstructured Address attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).

      Request_Device_Serial_Number

      The Device Serial Number attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).