IKEEXT_CERTIFICATE_AUTHENTICATION1 structure

The IKEEXT_CERTIFICATE_AUTHENTICATION1 structure is used to specify various parameters for authentication with certificates.

Note  IKEEXT_CERTIFICATE_AUTHENTICATION1 is the specific implementation of IKEEXT_CERTIFICATE_AUTHENTICATION used in Windows 7. See WFP Version-Independent Names and Targeting Specific Versions of Windows for more information. For Windows 8, IKEEXT_CERTIFICATE_AUTHENTICATION2 is available. For Windows Vista, IKEEXT_CERTIFICATE_AUTHENTICATION0 is available.
 

Syntax


typedef struct IKEEXT_CERTIFICATE_AUTHENTICATION1_ {
  IKEEXT_CERT_CONFIG_TYPE inboundConfigType;
  union {
    struct {
      UINT32                   inboundRootArraySize;
      IKEEXT_CERT_ROOT_CONFIG0 *inboundRootArray;
    };
    IKEEXT_CERT_ROOT_CONFIG0 *inboundEnterpriseStoreConfig;
    IKEEXT_CERT_ROOT_CONFIG0 *inboundTrustedRootStoreConfig;
    ;      // case(IKEEXT_CERT_CONFIG_UNSPECIFIED)
  };
  IKEEXT_CERT_CONFIG_TYPE outboundConfigType;
  union {
    struct {
      UINT32                   outboundRootArraySize;
      IKEEXT_CERT_ROOT_CONFIG0 *outboundRootArray;
    };
    IKEEXT_CERT_ROOT_CONFIG0 *outboundEnterpriseStoreConfig;
    IKEEXT_CERT_ROOT_CONFIG0 *outboundTrustedRootStoreConfig;
    ;      // case(IKEEXT_CERT_CONFIG_UNSPECIFIED)
  };
  UINT32                  flags;
  FWP_BYTE_BLOB           localCertLocationUrl;
} IKEEXT_CERTIFICATE_AUTHENTICATION1;

Members

inboundConfigType

Certificate configuration type for inbound peer certificate verification.

See IKEEXT_CERT_CONFIG_TYPE for more information.

inboundRootArraySize

Number of elements in the inboundRootArray member.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

inboundRootArray

Explicit trust list for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

inboundEnterpriseStoreConfig

Enterprise store configuration for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

inboundTrustedRootStoreConfig

Trusted root store configuration for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundConfigType

Certificate configuration type for outbound local certificate verification.

See IKEEXT_CERT_CONFIG_TYPE for more information.

outboundRootArraySize

Number of elements in the outboundRootArray member.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

outboundRootArray

Explicit trust list for selecting a certificate chain to send to the peer.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundEnterpriseStoreConfig

Enterprise store configuration for selecting the certificate chain.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundTrustedRootStoreConfig

Trusted root store configuration for selecting the certificate chain.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ROOT_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

flags

A combination of the following values that specifies the certificate authentication characteristics.

IKE/AuthIP certificate authentication flagMeaning
IKEEXT_CERT_AUTH_FLAG_SSL_ONE_WAY

Enable SSL one-way authentication.

Applicable only to AuthIP.

IKEEXT_CERT_AUTH_FLAG_DISABLE_CRL_CHECK

Disable CRL checking. By default weak CRL checking is enabled. Weak checking means that a certificate will be rejected if and only if CRL is successfully looked up and the certificate is found to be revoked.

IKEEXT_CERT_AUTH_ENABLE_CRL_CHECK_STRONG

Enable strong CRL checking. Strong checking means that a certificate will be rejected if certificate is found to be revoked, or if any other error (for example, CRL could not be retrieved) takes place while performing the revocation checking.

IKEEXT_CERT_AUTH_DISABLE_SSL_CERT_VALIDATION

Disables the SSL server authentication extended key usage (EKU) check. Other types of AuthIP validation are still performed.

Applicable only to AuthIP.

IKEEXT_CERT_AUTH_ALLOW_HTTP_CERT_LOOKUP

Allow lookup of peer certificate information from an HTTP URL.

Applicable only to IKEv2.

IKEEXT_CERT_AUTH_URL_CONTAINS_BUNDLE

The URL specified in the certificate authentication policy points to an encoded certificate-bundle. If this flag is not specified, IKEv2 will assume that the URL points to an encoded certificate.

Applicable only to IKEv2.

 

localCertLocationUrl

HTTP URL pointing to an encoded certificate or certificate-bundle, that will be used by IKEv2 for authenticating local machine to a peer.

Applicable only to IKEv2.

See FWP_BYTE_BLOB for more information.

Requirements

Minimum supported client

Windows 7 [desktop apps only]

Minimum supported server

Windows Server 2008 R2 [desktop apps only]

Header

Iketypes.h

IDL

Iketypes.idl

See also

Windows Filtering Platform API Structures

 

 

Show: