We have updated [MS-WCCE] for the next release of the document:
3.2.1.4.3.2.15.1 Creating a CA Exchange Certificate
- If an exchange certificate wasn't created in previous steps, create it by adding the following fields and extensions:
- For the Subject of the exchange certificate, a common name attribute is used with a value the same as the value of the common name attribute in the subject information of the CA signing certificate (Signing_Cert_Certificate datum) and appending "-Xchg" to the value. The Issuer field is filled with the same value as the Subject field of the CA signing certificate (Signing-_Cert_Certificate datum).
- The Authority Key Identifier extension is added with the same value as the Subject Key Identifier extension in the CA signing certificate (Signing_Cert_Certificate datum). If the Subject Key Identifier extension is not found in the CA signing certificate (Signing_Cert_Certificate datum), then the SHA1 hash of the public key of CA signing certificate (Signing_Cert_Certificate datum) is used as the value for the Authority Key Identifier extension. The Authority Key Identifier extension is specified in [RFC3280] section 4.2.1.1.
- The Subject Key Identifier extension is added with the same value as the SHA1 hash of the public key associated with the exchange certificate. The Subject Key Identifier extension is specified in [RFC3280] section 4.2.1.2.
- The Authority Information Access extension is added with the same value the CA returns when ICertRequestD2::GetCAProperty is called for PropID of CR_PROP_CERTAIAURLS and propIndex of 0xFFFFFFFF. See section 3.2.1.4.3.2.42 for details on how this value is computed. The Authority Information Access extension is specified in [RFC3280] section 4.2.2.1.
- The CRL Distribution Point extension is added with the same value the CA returns when ICertRequestD2::GetCAProperty is called for PropID of CR_PROP_CERTCDPURLS and propIndex of 0xFFFFFFFF. See section 3.2.1.4.3.2.43 for details on how this value is computed. The CRL Distribution Point extension is specified in [RFC3280] section 4.2.1.14.
We're still working on item 13.
Best Regards,
Jeff McCashland
Microsoft Open Specifications