2.26 msPKI-Enrollment-Flag Attribute

The msPKI-Enrollment-Flag attribute specifies the enrollment flags. The attribute value can be 0, or it can consist of a bitwise OR of flags from the following table.<27>

Flag

Meaning

0x00000001

CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS

This flag instructs the client and server to include a Secure/Multipurpose Internet Mail Extensions (S/MIME) certificate extension, as specified in [RFC4262], in the request and in the issued certificate.

0x00000002

CT_FLAG_PEND_ALL_REQUESTS

This flag instructs the CA to put all requests in a pending state.

0x00000004

CT_FLAG_PUBLISH_TO_KRA_CONTAINER

This flag instructs the CA to publish the issued certificate to the key recovery agent (KRA) container in Active Directory, as specified in [MS-ADTS].

0x00000008

CT_FLAG_PUBLISH_TO_DS

This flag instructs CA servers to append the issued certificate to the userCertificate attribute, as specified in [RFC4523], on the user object in Active Directory. The server processing rules for this flag are specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.

0x00000010

CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE

This flag instructs clients not to do autoenrollment for a certificate based on this template if the user's userCertificate attribute (specified in [RFC4523]) in Active Directory has a valid certificate based on the same template.

0x00000020

CT_FLAG_AUTO_ENROLLMENT

This flag instructs clients to perform autoenrollment for the specified template.

0x00000040

CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT

This flag instructs clients to sign the renewal request using the private key of the existing certificate. For more information, see [MS-WCCE] section 3.2.2.6.2.1.4.5.6.This flag also instructs the CA to process the renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.

0x00000100

CT_FLAG_USER_INTERACTION_REQUIRED

This flag instructs the client to obtain user consent before attempting to enroll for a certificate that is based on the specified template.

0x00000400

CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE

This flag instructs the autoenrollment client to delete any certificates that are no longer needed based on the specific template from the local certificate storage. For information about autoenrollment and the local certificate storage, see [MS-CERSOD] section 2.1.2.2.2.

0x00000800

CT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF

This flag instructs the server to allow enroll on behalf of (EOBO) functionality.

0x00001000

CT_FLAG_ADD_OCSP_NOCHECK

This flag instructs the server to not include revocation information and add the id-pkix-ocsp-nocheck extension, as specified in [RFC2560] section 4.2.2.2.1, to the certificate that is issued.<28>

0x00002000

CT_FLAG_ENABLE_KEY_REUSE_ON_NT_TOKEN_KEYSET_STORAGE_FULL

This flag instructs the client to reuse the private key for a smart card–based certificate renewal if it is unable to create a new private key on the card.<29>

0x00004000

CT_FLAG_NOREVOCATIONINFOINISSUEDCERTS

This flag instructs the server to not include revocation information in the issued certificate.<30>

0x00008000

CT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS

This flag instructs the server to include Basic Constraints extension (specified in [RFC3280] section 4.2.1.10) in the end entity certificates.<31>

0x00010000

CT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLMENT

This flag instructs the CA to ignore the requirement for Enroll permissions on the template when processing renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.<32>

0x00020000

CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST

This flag indicates that the certificate issuance policies to be included in the issued certificate come from the request rather than from the template. The template contains a list of all of the issuance policies that the request is allowed to specify; if the request contains policies that are not listed in the template, then the request is rejected. For the processing rules of this flag, see [MS-WCCE] section 3.2.2.6.2.1.4.5.8.<33>

0x00040000

CT_FLAG_SKIP_AUTO_RENEWAL

This flag indicates that the certificate should not be auto-renewed, although it has a valid template.

0x00080000

CT_FLAG_NO_SECURITY_EXTENSION

                                                                         

This flag<34> instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate.

For schema details of this attribute, see [MS-ADA2] section 2.603.