3.2.2.6.2.1.4.5.8 msPKI-Certificate-Policy

  • Article

The CA MUST construct a certificate policies extension as specified in [RFC3280] section 4.2.1.5, and the CA MUST use the OIDs specified in this attribute in the certificate request as the OIDs in the certificate policy extension of the certificate.

  • Let CurrentCertificateRequestPolicies be a list of OIDs identifying each certificate policy requested by the client via the szOID_CERT_EXTENSIONS attribute (1.3.6.1.4.1.311.2.1.14) containing a certificate policy extension as defined in [RFC3280] section 4.2.1.5.

  • Let KeyAttestationPolicies be a list of OIDs identifying each certificate policy verified by the CA according to section 3.2.2.6.2.1.4.5.7.

Processing for CurrentCertificateRequestPolicies

  • If CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST flag of the msPKI-Enrollment-Flag attribute is set AND the msPKI-Certificate-Policy attribute is empty AND the CurrentCertificateRequestCertPolicies list is not empty, the CA SHOULD return the CERTSRV_E_TEMPLATE_CONFLICT error (0x80094802) to the client.<128>

  • For each OID in the msPKI-Certificate-Policy attribute:

    • If the CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST flag of the msPKI-Enrollment-Flag attribute is set and the CurrentCertificateRequestCertPolicies list does not contain the current OID, the CA SHOULD continue with the next OID.<129>

    • Add a certificate policy identified by the current OID to the certificate policy extension of the certificate to be issued.

Processing When KeyAttestationPolicies Is Not Empty

  • If the KeyAttestationPolicies list is not empty, the CA MUST obtain a union between KeyAttestationPolicies OIDs and the OIDs in the msPKI-Certificate-Policy attribute. If there are any duplicates, the CA MUST preserve the OID in msPKI-Certificate-Policy and discard the one from KeyAttestationPolicies.

  • If the CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST flag of the msPKI-Enrollment-Flag attribute is set and both KeyAttestationPolicies and CurrentCertificateRequestCertPolicies are not empty, the CA MUST follow the processing rules for CurrentCertificateRequestCertPolicies specified earlier in this section. The CA MUST then obtain a union between KeyAttestationPolicies OIDs and the OIDs in the msPKI-Certificate-Policy attribute. If there are any duplicates, the CA MUST preserve the OID in msPKI-Certificate-Policy and discard the one from KeyAttestationPolicies.