3.2.1.4.3.2.15.1 Creating a CA Exchange Certificate
The CA MUST perform the following steps to create an exchange certificate.
Determine the role of the machine that the CA is running on by performing external behavior consistent with locally invoking DsRolerGetPrimaryDomainInformation (specified in [MS-DSSP] section 3.2.5.1), using the following parameters:
Set the hBinding parameter to NULL.
Set the InfoLevel parameter to DsRolePrimaryDomainInfoBasic.
If the MachineRole field of the returned DomainInfo structure is not equal to DsRole_RoleStandaloneWorkstation or DsRole_RoleStandaloneServer, then perform the following steps.
Invoke the "Initialize ADConnection" task ([MS-ADTS] section 7.6.1.1) to construct an ADConnection with the following parameters:
TaskInputTargetName: NULL.
TaskInputPortNumber: If the value of the Config_CA_LDAP_Flags datum has 0x0000001 (LDAPF_SSLENABLE) bit set, use port 636. Otherwise, use port 389.
Invoke the "Setting an LDAP Option on an ADConnection" task ([MS-ADTS] section 7.6.1.2) once for each of the pairs of option and value parameters in the following table. For each of these, the TaskInputADConnection parameter is the ADConnection handle created in the previous step.
TaskInputOptionName
TaskInputOptionValue
LDAP_OPT_GETDSNAME_FLAGS
Bitwise OR of the bits D and R, as defined in [MS-NRPC] section 3.5.4.3.1
LDAP_OPT_REFFERALS
If Config_AD_Connection_Referral ADM element is FALSE, set to FALSE
LDAP_OPT_PROTOCOL_VERSION
2
If the value of the Config_CA_LDAP_Flags datum does not have the 0x0000002 (LDAPF_SIGNDISABLE) bit set and:
If after invoking the processing rules that are specified in section 3.2.2.1.6 with input parameter InputADConnectionHandle set equal to ActiveDirectory_Connection, the returned value is TRUE (that is, DC supports signing) set LDAP_OPT_SIGN to TRUE.
Else, if the Config_CA_LDAP_Flags datum does not have the 0x0000001 (LDAPF_SSLENABLE) bit set, return 0x80094013 (CERTSRV_E_DOWNLEVEL_DC_SSL_OR_UPGRADE) to the client and exit.
Invoke the "Performing an LDAP Bind on an ADConnection" task ([MS-ADTS] section 7.6.1.4) with the following parameter:
TaskInputADConnection: The ADConnection handle generated in the previous step
If the TaskReturnStatus returned is not 0:
Repeat step 1.2 with the following modification:
TaskInputOptionName: LDAP_OPT_GETDSNAME_FLAGS
TaskInputOptionValue: Bitwise OR of the bits A, D, and R, as defined in [MS-NRPC] section 3.5.4.3.1
Repeat this step (1.4). If the TaskReturnStatus returned is not 0, go to step 2.
Obtain the distinguished name for the Certificate Templates Container (section 2.2.2.11.1), as specified in the following steps:
Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:
TaskInputADConnection: The ADConnection handle generated in the previous step
TaskInputRequestMessage: LDAP SearchRequest message (see [RFC2251] section 4.5.1), as follows:
baseObject: distinguished name of the rootDSE object as specified in [MS-ADTS] section 3.1.1.3.2.1
scope: baseObject
filter: (objectCategory=*)
attributes: The CA SHOULD use the following attributes:
configurationNamingContext
defaultNamingContext
sizeLimit: 10000
timeLimit: 120
derefAliases: neverDerefAliases
typesOnly: FALSE
TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.
If the TaskReturnStatus returned is not 0, go to step 2.
Build the distinguished name by concatenating the "CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration" path and the value for configurationNamingContext attribute from the previous step.
Read all objects under the Certificate Templates Container as follows:
Repeat the previous step with the following modifications:
baseObject: distinguished name of the Certificate Templates Container obtained in the previous step.
scope: wholeSubtree
filter: (objectCategory=pKICertificateTemplate)
attributes: The CA SHOULD use the following attributes:
cn
flags
ntSecurityDescriptor
revision
pKICriticalExtensions
pKIDefaultCSPs
pKIDefaultKeySpec
pKIEnrollmentAccess
pKIExpirationPeriod
pKIExtendedKeyUsage
pKIKeyUsage
pKIMaxIssuingDepth
pKIOverlapPeriod
msPKI-Template-Schema-Version
msPKI-Template-Minor-Revision
msPKI-RA-Signature
msPKI-Minimal-Key-Size
msPKI-Cert-Template-OID
msPKI-Supersede-Templates
msPKI-RA-Policies
msPKI-RA-Application-Policies
msPKI-Certificate-Policy
msPKI-Certificate-Application-Policy
msPKI-Enrollment-Flag
msPKI-Private-Key-Flag
msPKI-Certificate-Name-Flag
If the TaskReturnStatus returned is not 0, go to step 2.
If a certificate template with a commonName attribute equal to "CAExchange" (case-insensitive comparison) was read in the previous step and CA has the permission to enroll for that template (by invoking the processing rules in Verify End Entity Permissions (section 3.2.2.6.2.1.4.3) with input parameter Input_ntSecurityDescriptor set equal to the ntSecurityDescriptor attribute of the CAExchange certificate template and Input_SID set equal to CA_SID ADM element), create the exchange certificate based on the attribute value processing specified in sections 3.2.2.6.2.1.4.4 and 3.2.2.6.2.1.4.5.
If an exchange certificate wasn't created in previous steps, create it by adding the following fields and extensions:
For the Subject of the exchange certificate, a common name attribute is used with a value the same as the value of the common name attribute in the subject information of the CA signing certificate (Signing_Cert_Certificate datum) and appending "-Xchg" to the value. The Issuer field is filled with the same value as the Subject field of the CA signing certificate (SigningÂ_Cert_Certificate datum).
Key Usage extension with KeyEncipherment bit enabled. The Key Usage extension is specified in [RFC3280] section 4.2.1.3.
Extended Key Usage extension containing the OID szOID_KP_CA_EXCHANGE (1.3.6.1.4.1.311.21.5) as the KeyPurposeId. The Extended Key Usage extension is specified in [RFC3280] section 4.2.1.13.
Application Policies extension containing the OID szOID_KP_CA_EXCHANGE (1.3.6.1.4.1.311.21.5) as the Application Policy OID. The Application Policies extension is specified in section 2.2.2.7.7.3.
Certificate Template Common Name extension with the value of Name as "CAExchange". Encoding a Certificate Template Common Name Extension is specified in section 2.2.2.7.7.1.
If the CA signing certificate contains a Certificate Policies extension, add this extension with the same value as in the CA signing certificate (Signing_Cert_Certificate datum). The Certificate Policies extension is specified in [RFC3280] section 4.2.1.5.
The Authority Key Identifier extension is added with the same value as the Subject Key Identifier extension in the CA signing certificate (Signing_Cert_Certificate datum). If the Subject Key Identifier extension is not found in the CA signing certificate (Signing_Cert_Certificate datum), then the SHA1 hash of the public key of CA signing certificate (Signing_Cert_Certificate datum) is used as the value for the Authority Key Identifier extension. The Authority Key Identifier extension is specified in [RFC3280] section 4.2.1.1.
The Subject Key Identifier extension is added with the same value as the SHA1 hash of the public key associated with the exchange certificate. The Subject Key Identifier extension is specified in [RFC3280] section 4.2.1.2.
The Authority Information Access extension is added with the same value the CA returns when ICertRequestD2::GetCAProperty is called for PropID of CR_PROP_CERTAIAURLS and propIndex of 0xFFFFFFFF. See section 3.2.1.4.3.2.42 for details on how this value is computed. The Authority Information Access extension is specified in [RFC3280] section 4.2.2.1.
The CRL Distribution Point extension is added with the same value the CA returns when ICertRequestD2::GetCAProperty is called for PropID of CR_PROP_CERTCDPURLS and propIndex of 0xFFFFFFFF. See section 3.2.1.4.3.2.43 for details on how this value is computed. The CRL Distribution Point extension is specified in [RFC3280] section 4.2.1.14.
The value for Valid From field is the date and time when the request for CA exchange certificate was received minus the value of the Config_CA_Clock_Skew_Minutes data. The Valid To field is set to one week later. Valid From and Valid To are specified in [RFC3280] section 4.1.2.5.
The serial number SHOULD be generated as specified in section 3.2.1.4.2.1.4.6 and stored in the Serial Number field. The Serial Number field is specified in [RFC3280] section 4.1.2.2.
The value for the Signature Algorithm field is the name of the signing algorithm configured at the CA. The Signature Algorithm field is specified in [RFC3280] section 4.1.1.2.
The value for the Subject Public Key field is the public key associated with the exchange certificate. The Subject Public Key field is specified in [RFC3280] section 4.1.
Store the created certificate as follows:
Store the certificate as an entry in the request table.
Add the x.509 certificate to the Store_CA_Exchange_Cert list of certificates and set it as the Current_CA_Exchange_Cert data element value.
Delete the list of hash values from the Config_CA_Exchange_Cert datum.
The CA MUST create a new row in the Request table and set the following values:
Request_Request_ID: Assign a unique value in this column.
Request_Disposition: Assign the value "certificate issued".
Request_Raw_Request: Set to empty.
In addition, the CA SHOULD store the following request parameters in the Request table.
Column name
Value
Request_Raw_Old_Certificate
Empty
Request_Request_Attributes
Empty
Request_Request_Type
Empty
Request_Request_Flags
0x0000000C (The bitwise OR of CR_FLG_CAXCHGCERT flag and CR_FLG_FORCEUTF8 flag. For more details see [MS-CSRA] section 3.1.1.1.2.)
Request_Status_Code
0x00000000 (The operation completed successfully.)
Request_Submitted_When
The time the request for CA exchange server was received by the CA.
Request_Resolved_When
The time the CA completed the processing for the CA exchange certificate.
Request_Requester_Name
The value of CA_Account_Name ADM element.
Request_Caller_Name
The value of Per_Request.Caller_Account_Name ADM element.
Request_Signer_Policies
Empty
Request_Signer_Application_Policies
Empty
Request_Officer
Empty
Request_Distinguished_Name
The distinguished name (DN) from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Raw_Name
The Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Country
The Country attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Organization
The Organization attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Org_Unit
The Organizational-Unit attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Common_Name
The Common Name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Locality
The Locality attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_State
The Province name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Title
The Title attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Given_Name
The Given Name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Initials
The Initials attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_SurName
The Surname attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Domain_Component
The Domain Component attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Email
The Email Address attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Street_Address
The Street Address attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Unstructured_Name
The Unstructured Name attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Unstructured_Address
The Unstructured Address attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).
Request_Device_Serial_Number
The Device Serial Number attribute from the DN from the Subject field of the CA exchange certificate (Config_CA_Exchange_Cert datum).