2.23.2 Syntax Option 2

  • Article

Note An alternative scenario for template schema version 4 is defined in section 2.23.1.

If either of the following is true:

  • The template is version 3.

  • The template version is 4 and the template does not have the CT_FLAG_USE_LEGACY_PROVIDER bit of the msPKI-Private-Key-Flag attribute set.

Then the msPKI-RA-Application-Policies attribute contains a string of property-type-value triplets that are separated by a grave accent (`) character.

Each triplet for this attribute has the following format.

 Name`Type`Value`

Where:

Tag

Description

Name

The property name. This value MUST be one of the property names in the following list.

Type

The Type MUST be "DWORD" or "PZPWSTR". If "DWORD" is used, the Value field contains a Unicode string representation of a positive decimal number. If "PZPWSTR" is used, the Value field contains a Unicode string.

Value

The value of the parameter.

`

A delimiter symbol separator.

The property name MUST be one of the following:

  • msPKI-RA-Application-Policies: A string value that represents a set of application policy OIDs (comma-separated) for the RA certificates. Application policy OIDs are the same as extended key usage OIDs, as specified in [RFC3280] section 4.2.1.13. The type MUST be "PZPWSTR".

  • msPKI-Asymmetric-Algorithm: A string value that represents the name of the asymmetric algorithm. The type MUST be "PZPWSTR".

  • msPKI-Key-Security-Descriptor: A Security Descriptor Description Language (SDDL) string that represents the security descriptor (as specified in [MS-DTYP] section 2.5.1) for the asymmetric key. The type MUST be "PZPWSTR".

  • msPKI-Symmetric-Algorithm: A string value that represents the name of the symmetric algorithm that clients use for key exchanges. The type MUST be "PZPWSTR".

  • msPKI-Symmetric-Key-Length: An unsigned integer value that represents the length, in bits, of the symmetric key. The type MUST be DWORD.

  • msPKI-Hash-Algorithm: A string value that represents the name of the hash algorithm that clients use. The type MUST be "PZPWSTR".

  • msPKI-Key-Usage: An unsigned integer value that represents how the private key is used (see [MS-WCCE] section 3.1.2.4.2.2.2.5). The type MUST be DWORD. A bitwise OR of the following flags is supported for this property.

    Name

    Value

    Meaning

    NCRYPT_ALLOW_DECRYPT_FLAG

    0x00000001

    The private key can be used to perform a decryption operation.

    NCRYPT_ALLOW_SIGNING_FLAG

    0x00000002

    The private key can be used to perform a signature operation.

    ALLOW_KEY_AGREEMENT_FLAG

    0x00000004

    The private key can be used to perform a key-agreement operation.

    NCRYPT_ALLOW_ALL_USAGES

    0x00ffffff

    The private key is not restricted to any specific cryptographic operations.

For example:

 msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-
 Key-Usage`DWORD`2`msPKI-RA-Application-Policies`PZPWSTR`1.3.6.1.4.1.311.10.3.8`

For schema details of this attribute, see [MS-ADA2] section 2.619.