3.1.4.1.3.1 Attributes
The <Attributes> complex type contains information about a CertificateEnrollmentPolicy object defined in section 3.1.4.1.3.7. It MUST be present for each CertificateEnrollmentPolicy object instance.
-
<xs:complexType name="Attributes"> <xs:sequence> <xs:element ref="xcep:commonName" /> <xs:element name="policySchema" type="xs:unsignedInt" /> <xs:element name="certificateValidity" type="xcep:CertificateValidity" /> <xs:element name="permission" type="xcep:EnrollmentPermission" /> <xs:element name="privateKeyAttributes" type="xcep:PrivateKeyAttributes" /> <xs:element name="revision" type="xcep:Revision" /> <xs:element name="supersededPolicies" type="xcep:SupersededPolicies" nillable="true" /> <xs:element name="privateKeyFlags" type="xs:unsignedInt" nillable="true" /> <xs:element name="subjectNameFlags" type="xs:unsignedInt" nillable="true" /> <xs:element name="enrollmentFlags" type="xs:unsignedInt" nillable="true" /> <xs:element name="generalFlags" type="xs:unsignedInt" nillable="true" /> <xs:element name="hashAlgorithmOIDReference" type="xs:int" nillable="true" /> <xs:element name="rARequirements" type="xcep:RARequirements" nillable="true" /> <xs:element name="keyArchivalAttributes" type="xcep:KeyArchivalAttributes" nillable="true" /> <xs:element name="extensions" type="xcep:ExtensionCollection" nillable="true" /> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>
xcep:commonName: A string value of the common name (CN) of a CertificateEnrollmentPolicy object. The <xcep:commonName> element MUST be unique in the scope of a GetPoliciesResponse (section 3.1.4.1.1.2) message.
policySchema: An integer value presenting the schema version of the corresponding CertificateEnrollmentPolicy. The <policySchema> element SHOULD be an integer value of 1, 2, or 3.
certificateValidity: An instance of a CertificateValidity object as defined in section 3.1.4.1.3.8.
permission: An instance of an EnrollmentPermission object as defined in section 3.1.4.1.3.11.
privateKeyAttributes: An instance of a PrivateKeyAttributes object as defined in section 3.1.4.1.3.20.
revision: An instance of a Revision object as defined in section 3.1.4.1.3.24.
supersededPolicies: An instance of a SupersededPolicies object as defined in section 3.1.4.1.3.25. A value of nil indicates that the corresponding CertificateEnrollmentPolicy object does not supersede another.
privateKeyFlags: The <privateKeyFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following possible values. For more information about the relationship between the <privateKeyFlags> element and the <msPKI-Private-Key-Flag> attribute, see [MS-WCCE] section 3.1.2.4.2.2.2.8.
-
Integer value
Meaning
0x00000001
Instructs the client to archive the private key.
0x00000010
Instructs the client to allow the private key to be exported.
0x00000020
Instructs the client to protect the private key.
subjectNameFlags: The <subjectNameFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following possible values.
-
Integer value
Meaning
0x00000001
The client supplies the Subject field value in the certificate request.
0x00010000
The client supplies the Subject Alternative Name field value in the certificate request.
0x00400000
The certificate authority (CA) adds the value of the DNS of the root domain (the domain where the user's object resides in Active Directory) to the Subject Alternative Name extension of the issued certificate.
0x00800000
The CA adds the value of the userPrincipalName attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x01000000
The CA adds the value of the objectGUID attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x02000000
The CA adds the value of the userPrincipalName attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x04000000
The CA adds the value of the mail attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x08000000
The CA adds the value obtained from the dNSHostName attribute of the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x10000000
The CA adds the value obtained from the dNSHostName attribute of the requestor's user object in Active Directory as the CN in the Subject extension of the issued certificate.
0x20000000
The CA adds the value of the mail attribute from the requestor's user object in Active Directory as the Subject extension of the issued certificate.
0x40000000
The CA sets the Subject Name to the cn attribute value of the requestor's user object in Active Directory.
0x80000000
The CA sets the Subject Name to the distinguishedName attribute value of the requestor's user object in Active Directory.
0x00000008
The client reuses the values of the Subject Name and Subject Alternative Name extensions from an existing, valid certificate when creating a renewal certificate request. This flag can only be used when the SubjectNameEnrolleeSupplies (0x00000001) or SubjectAlternativeNameEnrolleeSupplies (0x00010000) flag is specified.
enrollmentFlags: The <enrollmentFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following values.
-
Integer value
Meaning
0x00000001
Instructs the client and CA to include an S/MIME extension, as specified in [RFC4262].
0x00000008
Instructs the CA to append the issued certificate to the userCertificate attribute, on the user object in Active Directory.
0x00000010
Instructs the CA to check the user's userCertificate attribute in Active Directory, as specified in [RFC4523], for valid certificates that match the template enrolled for.
0x00000040
This flag instructs clients to sign the renewal request using the private key of the existing certificate. For more information, see [MS-WCCE] section 3.2.2.6.2.1.4.5.6. This flag also instructs the CA to process the renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.
0x00000100
Instructs the client to get a user's consent before attempting to enroll for a certificate based on the specified template.
0x00000400
Instructs the client to delete any expired, revoked, or renewed certificate from the user's certificate stores.
0x00002000
This flag instructs the client to reuse the private key for a smart card–based certificate renewal if it is unable to create a new private key on the card.
generalFlags: The <generalFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following values.
-
Integer value
Name
Meaning
0x00000040
GeneralMachineType
This certificate template is for an end entity that represents a machine.
0x00000080
GeneralCA
A certificate request for a CA certificate.
0x00000800
GeneralCrossCA
A certificate request for cross-certifying a certificate.
0x00010000
Reserved
This flag value is reserved.
0x00020000
Reserved
This flag value is reserved.
0x10000000
Reserved
This flag value is reserved.
0x00000001
Reserved
This flag value is reserved.
0x00000002
Reserved
This flag value is reserved.
0x00000004
Reserved
This flag value is reserved.
0x00000008
Reserved
This flag value is reserved.
0x00000010
Reserved
This flag value is reserved.
0x00000020
Reserved
This flag value is reserved.
0x00000100
Reserved
This flag value is reserved.
0x00000200
Reserved
This flag value is reserved.
0x00000400
Reserved
This flag value is reserved.
0x00040000
Reserved
This flag value is reserved.
0x00080000
Reserved
This flag value is reserved.
0x00001000
Reserved
This flag value is reserved.
hashAlgorithmOIDReference: An integer value that references an existing <oIDReferenceID> element as defined in section 3.1.4.1.3.16. The hash algorithm is used when signing operations are performed during the certificate enrollment process. If the value of the <policySchema> element for this Attributes object is 3 and the hash algorithm is defined for the policy, the value of the <hashAlgorithmOIDReference> element MUST be an integer that references the <oIDReferenceID> of the corresponding hash algorithm definition. If the value of the <policySchema> element for this Attributes object is 1 or 2, or the hash algorithm is not defined, the <hashAlgorithmOIDReference> element MUST be specified as nil.
rARequirements: An instance of an RARequirements object as defined in section 3.1.4.1.3.21.
keyArchivalAttributes: An instance of a KeyArchivalAttributes object as defined in section 3.1.4.1.3.15.
extensions: An instance of an ExtensionCollection object as defined in section 3.1.4.1.3.13.
##any: This element provides a vendor extensibility point. Additional elements MAY be added.