2.2.9.3.3 ISSUEDPRINCIPALS
The ISSUEDPRINCIPALS element of an issuing certificate describes the role, identity, and key the certificate is issuing. It MUST use the following template.
-
<ISSUEDPRINCIPALS> <PRINCIPAL internal-id="1"> <OBJECT type="[[- objecttype -]]"> <ID type="[[- idtype -]]"> [[- id -] </ID> [[- name -]] [[- address -]] </OBJECT> [[- publickey -]] [[- serverversion -]] [[- serversku -]] </PRINCIPAL> </ISSUEDPRINCIPALS>
[[- objecttype -]]: MUST contain the literal string, as listed in the following table, specifying the type of principal the certificate is issuing.
-
Certificate
Literal string
MS-DRM-Server
Enrollment Service certificate
MS-DRM-Server
Enrollment CA certificate
DRM-Certificate-Authority
Version 1 security processor CA certificate
MS-DRM-Server
SPC issuer certificate
MS-DRM-Desktop-Security-Processor
Security processor CA certificate
DRM-Desktop-Security-Processor-Certificate-Authority
Intermediate security processor CA certificate
DRM-Certificate-Authority
CA certificate
DRM-Certificate-Authority
[[- idtype -]]: MUST contain the literal string, as listed in the following table, specifying the type of identifier used to identify the principal.
-
Certificate
Literal string
SLC
MS-GUID
Enrollment Service certificate
MS-GUID
Enrollment CA certificate
ascii-tag
Version 1 security processor CA certificate
MS-GUID
SPC issuer certificate
MS-GUID
Security processor CA certificate
MS-GUID
Intermediate security processor CA certificate
ascii-tag
CA certificate
ascii-tag
[[- id -]]: MUST contain the value or literal string, as listed in the following tables, identifying the principal. The [[- GUID -]] placeholder is defined immediately following the two tables.
-
This table is for RMS servers in the production hierarchy:
-
Certificate
String
SLC
[[- GUID -]]
Enrollment Service certificate
[[- GUID -]]
Enrollment CA certificate
Microsoft DRM Production Server Enrollment CA
Version 1 security processor CA certificate
[[- GUID -]]
SPC issuer certificate
[[- GUID -]]
Security processor CA certificate
[[- GUID -]]
Intermediate security processor CA certificate
Microsoft DRM Production Machine Activation Server CA
CA certificate
Microsoft DRM Production CA
-
This table is for RMS servers in the pre-production hierarchy:
-
Certificate
String
SLC
[[- GUID -]]
Enrollment Service certificate
[[- GUID -]]
Enrollment CA certificate
Microsoft DRM ISV Server Enrollment CA
Version 1 security processor CA certificate
[[- GUID -]]
SPC issuer certificate
[[- GUID -]]
Security processor CA certificate
[[- GUID -]]
Intermediate security processor CA certificate
Microsoft DRM ISV Machine Activation Server CA
CA certificate
Microsoft DRM ISV CA
[[- GUID -]]: MUST be a unique GUID that identifies the principal the certificate is issuing, represented as a literal ASCII string enclosed in braces.
[[- name -]]: MUST be present in all issuing certificates except for the SLC. MUST NOT be present in the SLC, except when the server has been self-enrolled and the server name is used for the name element. MUST be a name element containing the literal string, as listed in the following tables, specifying a name for the principal.
-
This table is for RMS servers in the production hierarchy:
-
Certificate
String
Enrollment Service certificate
Microsoft DRM Server Enrollment Service
Enrollment CA certificate
Microsoft DRM Production Server Enrollment CA
Version 1 security processor CA certificate
Microsoft DRM Machine Activation Service
SPC issuer certificate
Microsoft DRM Production Desktop Security Processor Activation Certificate
Security processor CA certificate
Microsoft DRM Production Machine Activation Desktop Security Processor CA
Intermediate security processor CA certificate
Microsoft DRM Production Machine Activation Server CA
CA certificate
Microsoft DRM Production CA
-
If the RMS server has been self-enrolled, the name element's value for the Enrollment Service certificate MUST be "Microsoft DRM Server Self Enrollment Service".
-
This table is for RMS Servers in the Pre-Production hierarchy:
-
Certificate
String
Enrollment Service certificate
Microsoft DRM ISV Server Enrollment Service
Enrollment CA certificate
Microsoft DRM ISV Server Enrollment CA
Version 1 security processor CA certificate
Microsoft DRM Machine Activation Service
SPC issuer certificate
Microsoft DRM ISV Desktop Security Processor Activation Certificate
Security processor CA certificate
Microsoft DRM ISV Machine Activation Desktop Security Processor CA
Intermediate security processor CA certificate
Microsoft DRM ISV Machine Activation Server CA
CA certificate
Microsoft DRM ISV CA
[[- address -]]: MUST be present in the SLC only. MUST NOT be present in other issuing certificates. MUST be an address element of type "URL" containing the URL of the server.
[[- publickey -]]: MUST contain the public key being issued. Exponent MUST be set to 65537. Modulus MUST contain the modulus of the public key. Size MUST be specified in bits, as indicated in the following table.
-
Certificate
String
SLC
1024 or 2048
Enrollment Service certificate
1024 or 2048
Enrollment CA certificate
1024 or 2048
Version 1 security processor CA certificate
1024
SPC issuer certificate
1024 or 2048
Security processor CA certificate
1024 or 2048
Intermediate security processor CA certificate
1024 or 2048
CA certificate
2048
[[- serverversion -]]: SHOULD be present in the SLC only. MUST NOT be present in other issuing certificates. SHOULD be a SECURITYLEVEL element. The name attribute SHOULD be set to "Server-Version" and the value attribute MAY<7> be set to a string containing additional version information of the server.
[[- serversku -]]: SHOULD be present in the SLC only. MUST NOT be present in other issuing certificates. SHOULD be a SECURITYLEVEL element. The name attribute SHOULD be set to "Server-SKU" and the value attribute MAY<8> be set to a string containing additional version information of the server.