Share via

3.2.2.1.4.1 Search Requests

  • Article

The CA SHOULD perform modify requests as demonstrated in the following figure.

Retrieving an ADConnection handle for publishing KRA certificates to AD

Figure 6: Retrieving an ADConnection handle for publishing KRA certificates to AD

The following steps describe the flow of the preceding figure:

  1. Invoke the "Initialize ADConnection" task ([MS-ADTS] section 7.6.1.1) to construct an ADConnection with the following parameters:

    • TaskInputTargetName: NULL

    • TaskInputPortNumber: If the value of the Config_CA_LDAP_Flags datum has 0x0000001 (LDAPF_SSLENABLE) bit set, use port 636. Otherwise, use port 389.

      Store the returned ADConnection handle in the ActiveDirectory_Connection variable.

  2. Perform a bind request, as specified in section 3.2.2.1.4.2.

  3. Obtain the distinguished name (DN) for the KRA container as specified in the following steps:

    1. Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:

      • TaskInputADConnection: ActiveDirectory_Connection

      • TaskInputRequestMessage: LDAP SearchRequest message (see [RFC2251] section 4.5.1) as follows:

        • baseObject: distinguished name (DN) of the rootDSE object, as specified in [MS-ADTS] section 3.1.1.3.2.1

        • scope: baseObject

        • filter: (objectCategory=*)

        • attributes: The CA SHOULD use the following attributes:

          • configurationNamingContext

          • defaultNamingContext

        • sizeLimit: 10000

        • timeLimit: 120

        • derefAliases: neverDerefAliases

        • typesOnly: FALSE

      • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.

    2. If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

      • InputReturnStatus: TaskReturnStatus

      • InputResultMessage: TaskOutputResultMessages

        Return the OutputHRESULT output parameter to the client and exit. Also, invoke the "Perform an LDAP Unbind on an ADConnection" task ([MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set equal to ActiveDirectory_Connection.

    3. Build the distinguished name (DN) by combining the "CN=KRA, CN=Public Key Services,CN=Services, CN=Configuration" path and the value from step 3.1.

  4. Verify that the issued certificate, passed in as input parameter IssuedCertificate, does not already exist under the KRA container as specified in the following steps.

    1. Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:

      • TaskInputADConnection: ActiveDirectory_Connection

      • TaskInputRequestMessage: LDAP SearchRequest message ([RFC2251] section 4.5.1) as follows:

        • baseObject: distinguished name (DN) of the object of the class msPKI-Private-Key-Recovery-Agent stored in the KRA container in the working directory. DN of the KRA container is obtained in step 3.

        • scope: baseObject

        • filter: NULL

        • attributes:  userCertificate

        • sizeLimit: 10000

        • timeLimit: 120

        • derefAliases: neverDerefAliases

        • typesOnly: FALSE

      • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.

        Store the returned value for userCertificate attribute in the Set_Of_Certificates variable.

    2. If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

      • InputReturnStatus: TaskReturnStatus

      • InputResultMessage: TaskOutputResultMessages

        Return the OutputHRESULT output parameter to the client and exit. Also invoke the "Perform an LDAP Unbind on an ADConnection" task ([MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set equal to ActiveDirectory_Connection and then exit.

    3. If the certificate in input parameter IssuedCertificate does not exist in the Set_Of_Certificates variable, add it to this set.

    4. If any of the certificates in Set_Of_Certificates variable has expired for more than 24 hours, remove it from Set_Of_Certificates.

    5. If Set_Of_Certificates is not changed as part of step 4.3 and 4.4, go to step 7.

  5. Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:

    • TaskInputADConnection: ActiveDirectory_Connection

    • TaskInputRequestMessage: An LDAP ModifyRequest (see [RFC2251] section 4.6) as follows:

      • object: distinguished name (DN) of the object of the class msPKI-Private-Key-Recovery-Agent stored in the KRA container in the working directory. Distinguished name (DN) of the KRA container is obtained in step 3.

      • The modification sequence has one entry, as follows:

        • operation: replace

        • modification:

          • type: userCertificate

          • vals: Set_Of_Certificates

    • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP operation.

  6. If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

    • InputReturnStatus: TaskReturnStatus

    • InputResultMessage: TaskOutputResultMessages

      Return the OutputHRESULT output parameter to the client and exit.

  7. Invoke the "Perform an LDAP Unbind on an ADConnection" task (see [MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set equal to ActiveDirectory_Connection.