3.1.4.1 Processing Rules for ICertAdminD

  • Article

The ICertAdminD interface provides an application programming interface for a client<16> to manage a certificate authority.

The ICertAdminD interface inherits the IUnknown interface.

The version number for IUnknown is 1.0. The universally unique identifier (UUID) for the ICertAdminD interface is "d99e6e71-fc88-11d0-b498-00a0c90312f3". Method opnum field values start with 3; opnum values 0 through 2 represent the IUnknown methods: QueryInterface, AddRef, and Release methods, respectively, as specified in [MS-DCOM].

Methods in RPC Opnum Order

Method

Description

SetExtension

The SetExtension method allows adding, modifying, or disabling extensions, as specified in [RFC3280]; a CA can include an extension in an issued certificate for a particular pending request.

Opnum: 3

SetAttributes

The SetAttributes method sets attributes in the specified pending certificate request.

Opnum: 4

ResubmitRequest

The ResubmitRequest method resubmits a specific pending or denied certificate request to the CA.

Opnum: 5

DenyRequest

The DenyRequest method denies a specific certificate request that is pending.

Opnum: 6

IsValidCertificate

The IsValidCertificate method verifies the certificate against the CA key and checks that the certificate has not been revoked.

Opnum: 7

PublishCRL

The PublishCRL method sends a request to the CA server to publish a new CRL, as specified in [RFC3280] section 5.

Opnum: 8

GetCRL

The GetCRL method retrieves the current CRL for the CA server.

Opnum: 9

RevokeCertificate

The RevokeCertificate method revokes a certificate either immediately or on a specified date.

Opnum: 10

EnumViewColumn

The EnumViewColumn method returns an array of column information.

Opnum: 11

GetViewDefaultColumnSet

The GetViewDefaultColumnSet method returns an array of the column set identifiers associated with a specific view.

Opnum: 12

EnumAttributesOrExtensions

The EnumAttributesOrExtensions method is used to access sets of attributes or extensions for a particular row ID.

Opnum: 13

OpenView

The OpenView method opens a view into the database and returns a set of resultant rows data.

Opnum: 14

EnumView

The EnumView method returns a set of resultant rows data for the opened view.

Opnum: 15

CloseView

The CloseView method closes a view previously opened with the OpenView method call.

Opnum: 16

ServerControl

The ServerControl method is used to force the CA server to unregister the ICertAdminD and ICertAdminD2 interfaces.

Opnum: 17

Ping

The Ping method is used to test whether the Certificate server is alive.

Opnum: 18

GetServerState

The GetServerState method is used to validate "Read".

Opnum: 19

BackupPrepare

The BackupPrepare method is used to prepare the database for performing further backup operations.

Opnum: 20

BackupEnd

The BackupEnd method completes the backup process started via a call to ICertAdminD::BackupPrepare.

Opnum: 21

BackupGetAttachmentInformation

The BackupGetAttachmentInformation method is used to query the CA for the names of database files that are to become part of the backup file set.

Opnum: 22

BackupGetBackupLogs

The BackupGetBackupLogs method queries the CA for the names of database transaction log files that are to become part of the backup file set.

Opnum: 23

BackupOpenFile

The BackupOpenFile method opens a file for backup.

Opnum: 24

BackupReadFile

The BackupReadFile method reads the database file and loads the content into the buffer provided.

Opnum: 25

BackupCloseFile

The BackupCloseFile method closes the database file that was initialized by a prior call to BackupOpenFile.

Opnum: 26

BackupTruncateLogs

The BackupTruncateLogs method function eliminates redundant records from the log files and reduces the disk storage space used by log files.

Opnum: 27

ImportCertificate

The ImportCertificate method imports a certificate into the CA database.

Opnum: 28

BackupGetDynamicFiles

The BackupGetDynamicFiles method retrieves the list of CA dynamic file names that need to be backed up.

Opnum: 29

RestoreGetDatabaseLocations

The RestoreGetDatabaseLocation method retrieves the list of CA server database location names for all the database files being restored.

Opnum: 30

All methods MUST NOT throw exceptions.

The CA MUST execute the following processing rules for each invocation of each of the methods listed below in this section. Then the CA MUST proceed to execute the processing rules listed for each individual method below.

The CA MUST obtain the SID in the RPC_SID form of the caller from the value of the element uToken.Sids[uToken.UserIndex]. The ADM element uToken is initialized by retrieving the identity token for the current execution context by calling the abstract interface GetRpcImpersonationAccessToken() as specified in [MS-RPCE] section 3.3.3.4.3.1. The value of the uToken.Sids array element indexed at uToken.UserIndex is the SID of the caller. If the caller cannot be identified (uToken.Sids[uToken.UserIndex] is NULL), the CA MUST refuse to establish a connection, returning an error.<17>

If Config_CA_Interface_Flags contains the value IF_ENFORCEENCRYPTICERTADMIN (section 3.1.4.2.14) and the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level, as defined in [MS-RPCE] section 2.2.1.1.8, is not specified on the RPC connection from the client, the CA MUST refuse to establish a connection with the client by returning an error.<18><19>

If Config_CA_Interface_Flags contains the value IF_NOREMOTEICERTADMIN, the CA SHOULD return an error for any of the methods listed in this section.<20>