3.1.4.1.3.1 Attributes

The <Attributes> complex type contains information about a CertificateEnrollmentPolicy object defined in section 3.1.4.1.3.7. It MUST be present for each CertificateEnrollmentPolicy object instance.

 <xs:complexType name="Attributes">
   <xs:sequence>
     <xs:element ref="xcep:commonName" />
     <xs:element name="policySchema"
       type="xs:unsignedInt" />
     <xs:element name="certificateValidity"
       type="xcep:CertificateValidity" />
     <xs:element name="permission"
       type="xcep:EnrollmentPermission" />
     <xs:element name="privateKeyAttributes"
       type="xcep:PrivateKeyAttributes" />
     <xs:element name="revision"
       type="xcep:Revision" />
     <xs:element name="supersededPolicies"
       type="xcep:SupersededPolicies" nillable="true" />
     <xs:element name="privateKeyFlags"
       type="xs:unsignedInt" nillable="true" />
     <xs:element name="subjectNameFlags"
       type="xs:unsignedInt" nillable="true" />
     <xs:element name="enrollmentFlags"
       type="xs:unsignedInt" nillable="true" />
     <xs:element name="generalFlags"
       type="xs:unsignedInt" nillable="true" />
     <xs:element name="hashAlgorithmOIDReference"
       type="xs:int" nillable="true" />
     <xs:element name="rARequirements"
       type="xcep:RARequirements" nillable="true" />
     <xs:element name="keyArchivalAttributes"
       type="xcep:KeyArchivalAttributes" nillable="true" />
     <xs:element name="extensions"
       type="xcep:ExtensionCollection" nillable="true" />
     <xs:any namespace="##any" processContents="lax"
       minOccurs="0" maxOccurs="unbounded" />
   </xs:sequence>
 </xs:complexType>

xcep:commonName: A string value of the common name (CN) of a CertificateEnrollmentPolicy object. The <xcep:commonName> element MUST be unique in the scope of a GetPoliciesResponse (section 3.1.4.1.1.2) message.

policySchema: An integer value presenting the schema version of the corresponding CertificateEnrollmentPolicy. The <policySchema> element SHOULD be an integer value of 1, 2, or 3.

certificateValidity: An instance of a CertificateValidity object as defined in section 3.1.4.1.3.8.

permission: An instance of an EnrollmentPermission object as defined in section 3.1.4.1.3.11.

privateKeyAttributes: An instance of a PrivateKeyAttributes object as defined in section 3.1.4.1.3.20.

revision: An instance of a Revision object as defined in section 3.1.4.1.3.24.

supersededPolicies: An instance of a SupersededPolicies object as defined in section 3.1.4.1.3.25. A value of nil indicates that the corresponding CertificateEnrollmentPolicy object does not supersede another.

privateKeyFlags: The <privateKeyFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following possible values. For more information about the relationship between the <privateKeyFlags> element and the <msPKI-Private-Key-Flag> attribute, see [MS-WCCE] section 3.1.2.4.2.2.2.8.

Integer value

Meaning

0x00000001

Instructs the client to archive the private key.

0x00000010

Instructs the client to allow the private key to be exported.

0x00000020

Instructs the client to protect the private key.

subjectNameFlags: The <subjectNameFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following possible values.

Integer value

Meaning

0x00000001

The client supplies the Subject field value in the certificate request.

0x00010000

The client supplies the Subject Alternative Name field value in the certificate request.

0x00400000

The certificate authority (CA) adds the value of the DNS of the root domain (the domain where the user's object resides in Active Directory) to the Subject Alternative Name extension of the issued certificate.

0x00800000

The CA adds the value of the userPrincipalName attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.

0x01000000

The CA adds the value of the objectGUID attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.

0x02000000

The CA adds the value of the userPrincipalName attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.

0x04000000

The CA adds the value of the mail attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.

0x08000000

The CA adds the value obtained from the dNSHostName attribute of the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.

0x10000000

The CA adds the value obtained from the dNSHostName attribute of the requestor's user object in Active Directory as the CN in the Subject extension of the issued certificate.

0x20000000

The CA adds the value of the mail attribute from the requestor's user object in Active Directory as the Subject extension of the issued certificate.

0x40000000

The CA sets the Subject Name to the cn attribute value of the requestor's user object in Active Directory.

0x80000000

The CA sets the Subject Name to the distinguishedName attribute value of the requestor's user object in Active Directory.

0x00000008

The client reuses the values of the Subject Name and Subject Alternative Name extensions from an existing, valid certificate when creating a renewal certificate request. This flag can only be used when the SubjectNameEnrolleeSupplies (0x00000001) or SubjectAlternativeNameEnrolleeSupplies (0x00010000) flag is specified.

enrollmentFlags: The <enrollmentFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following values.

Integer value

Meaning

0x00000001

Instructs the client and CA to include an S/MIME extension, as specified in [RFC4262].

0x00000008

Instructs the CA to append the issued certificate to the userCertificate attribute, on the user object in Active Directory.

0x00000010

Instructs the CA to check the user's userCertificate attribute in Active Directory, as specified in [RFC4523], for valid certificates that match the template enrolled for.

0x00000040

This flag instructs clients to sign the renewal request using the private key of the existing certificate. For more information, see [MS-WCCE] section 3.2.2.6.2.1.4.5.6. This flag also instructs the CA to process the renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.

0x00000100

Instructs the client to get a user's consent before attempting to enroll for a certificate based on the specified template.

0x00000400

Instructs the client to delete any expired, revoked, or renewed certificate from the user's certificate stores.

0x00002000

This flag instructs the client to reuse the private key for a smart card–based certificate renewal if it is unable to create a new private key on the card.

generalFlags: The <generalFlags> element is an unsigned integer that MUST be a bitwise OR of zero or more of the following values.

Integer value

Name

Meaning

0x00000040

GeneralMachineType

This certificate template is for an end entity that represents a machine.

0x00000080

GeneralCA

A certificate request for a CA certificate.

0x00000800

GeneralCrossCA

A certificate request for cross-certifying a certificate.

0x00010000

Reserved

This flag value is reserved.

0x00020000

Reserved

This flag value is reserved.

0x10000000

Reserved

This flag value is reserved.

0x00000001

Reserved

This flag value is reserved.

0x00000002

Reserved

This flag value is reserved.

0x00000004

Reserved

This flag value is reserved.

0x00000008

Reserved

This flag value is reserved.

0x00000010

Reserved

This flag value is reserved.

0x00000020

Reserved

This flag value is reserved.

0x00000100

Reserved

This flag value is reserved.

0x00000200

Reserved

This flag value is reserved.

0x00000400

Reserved

This flag value is reserved.

0x00040000

Reserved

This flag value is reserved.

0x00080000

Reserved

This flag value is reserved.

0x00001000

Reserved

This flag value is reserved.

hashAlgorithmOIDReference: An integer value that references an existing <oIDReferenceID> element as defined in section 3.1.4.1.3.16. The hash algorithm is used when signing operations are performed during the certificate enrollment process. If the value of the <policySchema> element for this Attributes object is 3 and the hash algorithm is defined for the policy, the value of the <hashAlgorithmOIDReference> element MUST be an integer that references the <oIDReferenceID> of the corresponding hash algorithm definition. If the value of the <policySchema> element for this Attributes object is 1 or 2, or the hash algorithm is not defined, the <hashAlgorithmOIDReference> element MUST be specified as nil.

rARequirements: An instance of an RARequirements object as defined in section 3.1.4.1.3.21.

keyArchivalAttributes: An instance of a KeyArchivalAttributes object as defined in section 3.1.4.1.3.15.

extensions: An instance of an ExtensionCollection object as defined in section 3.1.4.1.3.13.

##any: This element provides a vendor extensibility point. Additional elements MAY be added.