Edit

IKEEXT_CERTIFICATE_AUTHENTICATION1 structure (iketypes.h)

  • Article

The IKEEXT_CERTIFICATE_AUTHENTICATION2 is available. For Windows Vista, IKEEXT_CERTIFICATE_AUTHENTICATION0 is available.

 

Syntax

typedef struct IKEEXT_CERTIFICATE_AUTHENTICATION1_ {
  IKEEXT_CERT_CONFIG_TYPE inboundConfigType;
  union {
    struct {
      UINT32                   inboundRootArraySize;
      IKEEXT_CERT_ROOT_CONFIG0 *inboundRootArray;
    };
    IKEEXT_CERT_ROOT_CONFIG0 *inboundEnterpriseStoreConfig;
    IKEEXT_CERT_ROOT_CONFIG0 *inboundTrustedRootStoreConfig;
  };
  IKEEXT_CERT_CONFIG_TYPE outboundConfigType;
  union {
    struct {
      UINT32                   outboundRootArraySize;
      IKEEXT_CERT_ROOT_CONFIG0 *outboundRootArray;
    };
    IKEEXT_CERT_ROOT_CONFIG0 *outboundEnterpriseStoreConfig;
    IKEEXT_CERT_ROOT_CONFIG0 *outboundTrustedRootStoreConfig;
  };
  UINT32                  flags;
  FWP_BYTE_BLOB           localCertLocationUrl;
} IKEEXT_CERTIFICATE_AUTHENTICATION1;

Members

inboundConfigType

Certificate configuration type for inbound peer certificate verification.

See IKEEXT_CERT_CONFIG_TYPE for more information.

inboundRootArraySize

Number of elements in the inboundRootArray member.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

inboundRootArray

Explicit trust list for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

inboundEnterpriseStoreConfig

Enterprise store configuration for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

inboundTrustedRootStoreConfig

Trusted root store configuration for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundConfigType

Certificate configuration type for outbound local certificate verification.

See IKEEXT_CERT_CONFIG_TYPE for more information.

outboundRootArraySize

Number of elements in the outboundRootArray member.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

outboundRootArray

Explicit trust list for selecting a certificate chain to send to the peer.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundEnterpriseStoreConfig

Enterprise store configuration for selecting the certificate chain.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundTrustedRootStoreConfig

Trusted root store configuration for selecting the certificate chain.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ROOT_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

flags

A combination of the following values that specifies the certificate authentication characteristics.

IKE/AuthIP certificate authentication flag Meaning
IKEEXT_CERT_AUTH_FLAG_SSL_ONE_WAY
 Enable SSL one-way authentication.

Applicable only to AuthIP.
IKEEXT_CERT_AUTH_FLAG_DISABLE_CRL_CHECK
Disable CRL checking. By default weak CRL checking is enabled. Weak checking means that a certificate will be rejected if and only if CRL is successfully looked up and the certificate is found to be revoked.
IKEEXT_CERT_AUTH_ENABLE_CRL_CHECK_STRONG
 Enable strong CRL checking. Strong checking means that a certificate will be rejected if certificate is found to be revoked, or if any other error (for example, CRL could not be retrieved) takes place while performing the revocation checking.
IKEEXT_CERT_AUTH_DISABLE_SSL_CERT_VALIDATION
 Disables the SSL server authentication extended key usage (EKU) check. Other types of AuthIP validation are still performed.

Applicable only to AuthIP.
IKEEXT_CERT_AUTH_ALLOW_HTTP_CERT_LOOKUP
 Allow lookup of peer certificate information from an HTTP URL.

Applicable only to IKEv2.
IKEEXT_CERT_AUTH_URL_CONTAINS_BUNDLE
 The URL specified in the certificate authentication policy points to an encoded certificate-bundle. If this flag is not specified, IKEv2 will assume that the URL points to an encoded certificate.

Applicable only to IKEv2.

localCertLocationUrl

HTTP URL pointing to an encoded certificate or certificate-bundle, that will be used by IKEv2 for authenticating local machine to a peer.

Applicable only to IKEv2.

See FWP_BYTE_BLOB for more information.

Requirements

Requirement Value
Minimum supported client Windows 7 [desktop apps only]
Minimum supported server Windows Server 2008 R2 [desktop apps only]
Header iketypes.h

See also

Windows Filtering Platform API Structures