3.1.2.4.2.2.2.5 Certificate.Template.msPKI-RA-Application-Policies

  • Article

Clients MUST inspect the value of the Certificate.Template.msPKI-RA-Application-Policies datum as specified in [MS-CRTD] section 2.23. For each property type, the following client processing rules apply:

  • msPKI-Asymmetric-Algorithm: If this property type is present, the client MUST use the algorithm specified in this property to generate the public-private key pair, based on the following table:

    Value

    Algorithm

    DH

    The Diffie-Hellman key exchange algorithm [RFC2631]

    DS

    The digital signature algorithm [FIPS186]

    ECDSA_P256

    Elliptic Curve Digital Signature Algorithm on p-256 curve [FIPS186]

    ECDSA_P384

    Elliptic Curve Digital Signature Algorithm on p-384 curve [FIPS186]

    ECDSA_P521

    Elliptic Curve Digital Signature Algorithm on p-521 curve [FIPS186]

    ECDH_P256

    Elliptic curve Diffie–Hellman on p-256 curve [SP800-56A]

    ECDH_P384

    Elliptic curve Diffie–Hellman on p-384 curve [SP800-56A]

    ECDH_P521

    Elliptic curve Diffie–Hellman on p-521 curve [SP800-56A]

    RSA

    The RSA public key algorithm [RFC8017]

    If the property type is not present, clients MAY choose defaults based on local policy.<47>

  • msPKI-SecurityDescriptor: If this property type is present, the client MUST use the security descriptor (as specified in [MS-DTYP]) to set the access permissions on the private key corresponding to the public key in the request. If this property type is not present, clients MAY choose defaults based on local policy.<48>

  • msPKI-Symmetric-Algorithm: If this property type is present, the client MUST use the algorithm specified in this property to encrypt the private key corresponding to the public key in the request while generating the key archival enrollment request, as specified in section 1.3.2.1. In addition, the client SHOULD use this algorithm to encrypt the Client_HardwareKeyInfo ADM element as described in section 3.1.1.4.3.4.1.1.<49> If this property type is not present, clients MAY choose defaults based on local policy.<50>

  • msPKI-Symmetric-Key-Length: If this property type is present, the client MUST use the value specified in this property as the length of the symmetric key used to encrypt the private key while generating the key archival enrollment request, as specified in section 1.3.2.1. If this property type is not present, clients MAY choose defaults based on local policy.<51>

  • msPKI-Hash-Algorithm: If this property type is present, the client MUST use the value specified in this property as the hash algorithm while creating the signature of the certificate request. If this property type is not present, clients MAY choose defaults based on local policy.<52>

  • msPKI-Key-Usage: This property type MUST<53> be used to determine the cryptographic key information for generating the cryptographic keys that are used with the certificate. If this property type is not present, clients MAY choose defaults based on local policy.<54>