3.2.2.6.2.1.4.5.7 msPKI-Private-Key-Flag

Article
09/30/2022

The following processing rules are applied to flags in this attribute.

Flag	Client processing
0x00000001 CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL	If this flag is set, the CA MUST verify that the certificate request is a key archival request as specified in section 3.2.2.6.2.1.2.2. If this is a renewal request and CT_FLAG_REQUIRE_SAME_KEY_RENEWAL is set, the CA SHOULD ignore this flag.<124> If the request does not comply with the specifications of the key archival request, the CA SHOULD return the following error code: 0x80094804 CERTSRV_E_ARCHIVED_KEY_REQUIRED.
0x00000080 CT_FLAG_REQUIRE_SAME_KEY_RENEWAL	If this flag is set and the request is a renewal request, the CA MUST verify that the key used in the request matches one of the certificates being renewed. If it does not match, the CA SHOULD return error CERTSRV_E_RENEWAL_BAD_PUBLIC_KEY (0x80094816) to the client.<125>
0x00002000 CT_FLAG_ATTEST_REQUIRED *	If this flag is set and the request contains the attestation data, the CA MUST invoke the key Attestation processing rules specified in section 3.2.2.6.2.1.2.5 and its subsections. The CA SHOULD return error CERTSRV_E_KEY_ATTESTATION_(0x8009481AL) to the client if none of the key attestation is performed. If flag CT_FLAG_ATTESTATION_WITHOUT_POLICY is not set, the CA MUST add at least one of the OIDs in the msPKI-Certificate-Policy attribute indicating key attestation. The CA MUST add OIDs as specified below to the msPKI-CertificatePolicy attribute if key attestation processing rules are performed according to the corresponding processing sections. Processing rules section: 3.2.2.6.2.1.2.5 Add OID: szOID_ENROLL_EKVERIFYCREDS (1.3.6.1.4.1.311.21.32) Processing rules section: 3.2.2.6.2.1.2.5.1 Add OID: szOID_ENROLL_EKVERIFYCERT (1.3.6.1.4.1.311.21.31) Processing rules section: 3.2.2.6.2.1.2.5.2 Add OID: szOID_ENROLL_EKVERIFYKEY (1.3.6.1.4.1.311.21.30)
0x00001000 CT_FLAG_ATTEST_PREFERRED *	If this flag is set and the request contains the attestation data, the CA MUST invoke the key attestation processing rules specified in section 3.2.2.6.2.1.2.5 and its subsections. The CA SHOULD not return an error to the client, if none of the key attestation is performed. If flag CT_FLAG_ATTESTATION_WITHOUT_POLICY is not set, the CA MUST add OIDs in the msPKI-Certificate-Policy attribute indicating key attestation. The CA MUST add OIDs as specified below to the msPKI-CertificatePolicy attribute if key attestation processing rules are performed according to the corresponding processing sections. Processing rules section: 3.2.2.6.2.1.2.5 Add OID: szOID_ENROLL_EKVERIFYCREDS (1.3.6.1.4.1.311.21.32) Processing rules section: 3.2.2.6.2.1.2.5.1 Add OID: szOID_ENROLL_EKVERIFYCERT (1.3.6.1.4.1.311.21.31) Processing rules section: 3.2.2.6.2.1.2.5.2 Add OID: szOID_ENROLL_EKVERIFYKEY (1.3.6.1.4.1.311.21.30)
0x00000000 CT_FLAG_ATTEST_NONE *	If this flag is set, the CA MUST NOT add certificate policy OIDs to the msPKI-Certificate-Policy attribute to indicate attestation occurred, and the CA MUST NOT return an error if key attestation failed, even if the request contained key attestation data as specified in section 3.2.2.6.2.1.2.5 and the CA invoked key attestation processing rules.
0x00004000 CT_FLAG_ATTESTATION_WITHOUT_POLICY *	If this flag is set, the CA MUST NOT add the certificate policy OIDs as specified in the CT_FLAG_ATTEST_REQUIRED or CT_FLAG_ATTEST_PREFERRED flags to the msPKI-Certificate-Policy attribute, but the CA SHOULD follow the processing rules specified in section 3.2.2.6.2.1.2.5.
0x00000200 CT_FLAG_EK_TRUST_ON_USE *	If this flag is set, the CA MUST invoke the key attestation processing rules in section 3.2.2.6.2.1.2.5 and the CA MUST base the attestation on valid user credentials. If the CT_FLAG_ATTESTATION_WITHOUT_POLICY flag is not set, the CA MUST add OID szOID_ENROLL_EKVERIFYCREDS "1.3.6.1.4.1.311.21.32" to the certificate policy extension indicating that key attestation has occurred based on valid user credentials.
0x00000400 CT_FLAG_EK_VALIDATE_CERT *	If this flag is set, the CA MUST invoke the key attestation processing rules in section 3.2.2.6.2.1.2.5 and the CA MUST validate the trust module certificate according to section 3.2.2.6.2.1.2.5.1. The CA SHOULD return CERTSRV_E_INVALID_EK (0x80094817L) if an error occurs. If the CT_FLAG_ATTESTATION_WITHOUT_POLICY flag is not set, the CA MUST add OID szOID_ENROLL_EKVERIFYCERT "1.3.6.1.4.1.311.21.31" to the certificate policy extension indicating that key attestation has occurred based on a valid trust module certificate.
0x00000800 CT_FLAG_EK_VALIDATE_KEY *	If this flag is set, the CA MUST invoke the key attestation processing rules in section 3.2.2.6.2.1.2.5 and the CA MUST check the trust module public key in the request against the trust module public key list located using Config_Hardware_Key_List_Directories. The entire processing is described in section 3.2.2.6.2.1.2.5.2. If the CT_FLAG_ATTESTATION_WITHOUT_POLICY flag is not set, the CA MUST add OID szOID_ENROLL_EKVERIFYKEY "1.3.6.1.4.1.311.21.30" to the certificate policy extension indicating that key attestation has occurred based on a valid trust module key.

Flag

Client processing

0x00000001 CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL

If this flag is set, the CA MUST verify that the certificate request is a key archival request as specified in section 3.2.2.6.2.1.2.2. If this is a renewal request and CT_FLAG_REQUIRE_SAME_KEY_RENEWAL is set, the CA SHOULD ignore this flag.<124> If the request does not comply with the specifications of the key archival request, the CA SHOULD return the following error code:

0x80094804 CERTSRV_E_ARCHIVED_KEY_REQUIRED.

0x00000080

CT_FLAG_REQUIRE_SAME_KEY_RENEWAL

If this flag is set and the request is a renewal request, the CA MUST verify that the key used in the request matches one of the certificates being renewed. If it does not match, the CA SHOULD return error CERTSRV_E_RENEWAL_BAD_PUBLIC_KEY (0x80094816) to the client.<125>

0x00002000

CT_FLAG_ATTEST_REQUIRED *

If this flag is set and the request contains the attestation data, the CA MUST invoke the key Attestation processing rules specified in section 3.2.2.6.2.1.2.5 and its subsections. The CA SHOULD return error CERTSRV_E_KEY_ATTESTATION_(0x8009481AL) to the client if none of the key attestation is performed. If flag CT_FLAG_ATTESTATION_WITHOUT_POLICY is not set, the CA MUST add at least one of the OIDs in the msPKI-Certificate-Policy attribute indicating key attestation. The CA MUST add OIDs as specified below to the msPKI-CertificatePolicy attribute if key attestation processing rules are performed according to the corresponding processing sections.

Processing rules section: 3.2.2.6.2.1.2.5

Add OID: szOID_ENROLL_EKVERIFYCREDS (1.3.6.1.4.1.311.21.32)
Processing rules section: 3.2.2.6.2.1.2.5.1

Add OID: szOID_ENROLL_EKVERIFYCERT (1.3.6.1.4.1.311.21.31)
Processing rules section: 3.2.2.6.2.1.2.5.2

Add OID: szOID_ENROLL_EKVERIFYKEY (1.3.6.1.4.1.311.21.30)

0x00001000

CT_FLAG_ATTEST_PREFERRED *

If this flag is set and the request contains the attestation data, the CA MUST invoke the key attestation processing rules specified in section 3.2.2.6.2.1.2.5 and its subsections. The CA SHOULD not return an error to the client, if none of the key attestation is performed. If flag CT_FLAG_ATTESTATION_WITHOUT_POLICY is not set, the CA MUST add OIDs in the msPKI-Certificate-Policy attribute indicating key attestation. The CA MUST add OIDs as specified below to the msPKI-CertificatePolicy attribute if key attestation processing rules are performed according to the corresponding processing sections.

Processing rules section: 3.2.2.6.2.1.2.5

Add OID: szOID_ENROLL_EKVERIFYCREDS (1.3.6.1.4.1.311.21.32)
Processing rules section: 3.2.2.6.2.1.2.5.1

Add OID: szOID_ENROLL_EKVERIFYCERT (1.3.6.1.4.1.311.21.31)
Processing rules section: 3.2.2.6.2.1.2.5.2

Add OID: szOID_ENROLL_EKVERIFYKEY (1.3.6.1.4.1.311.21.30)

0x00000000

CT_FLAG_ATTEST_NONE *

If this flag is set, the CA MUST NOT add certificate policy OIDs to the msPKI-Certificate-Policy attribute to indicate attestation occurred, and the CA MUST NOT return an error if key attestation failed, even if the request contained key attestation data as specified in section 3.2.2.6.2.1.2.5 and the CA invoked key attestation processing rules.

0x00004000

CT_FLAG_ATTESTATION_WITHOUT_POLICY *

If this flag is set, the CA MUST NOT add the certificate policy OIDs as specified in the CT_FLAG_ATTEST_REQUIRED or CT_FLAG_ATTEST_PREFERRED flags to the msPKI-Certificate-Policy attribute, but the CA SHOULD follow the processing rules specified in section 3.2.2.6.2.1.2.5.

0x00000200

CT_FLAG_EK_TRUST_ON_USE *

If this flag is set, the CA MUST invoke the key attestation processing rules in section 3.2.2.6.2.1.2.5 and the CA MUST base the attestation on valid user credentials. If the CT_FLAG_ATTESTATION_WITHOUT_POLICY flag is not set, the CA MUST add OID szOID_ENROLL_EKVERIFYCREDS "1.3.6.1.4.1.311.21.32" to the certificate policy extension indicating that key attestation has occurred based on valid user credentials.

0x00000400

CT_FLAG_EK_VALIDATE_CERT *

If this flag is set, the CA MUST invoke the key attestation processing rules in section 3.2.2.6.2.1.2.5 and the CA MUST validate the trust module certificate according to section 3.2.2.6.2.1.2.5.1. The CA SHOULD return CERTSRV_E_INVALID_EK (0x80094817L) if an error occurs. If the CT_FLAG_ATTESTATION_WITHOUT_POLICY flag is not set, the CA MUST add OID szOID_ENROLL_EKVERIFYCERT "1.3.6.1.4.1.311.21.31" to the certificate policy extension indicating that key attestation has occurred based on a valid trust module certificate.

0x00000800

CT_FLAG_EK_VALIDATE_KEY *

If this flag is set, the CA MUST invoke the key attestation processing rules in section 3.2.2.6.2.1.2.5 and the CA MUST check the trust module public key in the request against the trust module public key list located using Config_Hardware_Key_List_Directories. The entire processing is described in section 3.2.2.6.2.1.2.5.2. If the CT_FLAG_ATTESTATION_WITHOUT_POLICY flag is not set, the CA MUST add OID szOID_ENROLL_EKVERIFYKEY "1.3.6.1.4.1.311.21.30" to the certificate policy extension indicating that key attestation has occurred based on a valid trust module key.

* Support for these flags is specified in the following behavior note.<126>

If the value of a bitwise AND of Certificate.Template.msPKI-Private-Key-Flag and 0x000F0000 is larger than 0x000Z0000, where Z denotes the value of the Server_Current_Version ADM element, the server SHOULD NOT enroll for this template.<127>

3.2.2.6.2.1.4.5.7 msPKI-Private-Key-Flag

Additional resources