IKEEXT_CERTIFICATE_AUTHENTICATION0 structure (iketypes.h)

The IKEEXT_CERTIFICATE_AUTHENTICATION1 is available. For Windows 8, IKEEXT_CERTIFICATE_AUTHENTICATION2 is available.

 

Syntax

typedef struct IKEEXT_CERTIFICATE_AUTHENTICATION0_ {
  IKEEXT_CERT_CONFIG_TYPE inboundConfigType;
  union {
    struct {
      UINT32                   inboundRootArraySize;
      IKEEXT_CERT_ROOT_CONFIG0 *inboundRootArray;
    };
    IKEEXT_CERT_ROOT_CONFIG0 *inboundEnterpriseStoreConfig;
    IKEEXT_CERT_ROOT_CONFIG0 *inboundTrustedRootStoreConfig;
  };
  IKEEXT_CERT_CONFIG_TYPE outboundConfigType;
  union {
    struct {
      UINT32                   outboundRootArraySize;
      IKEEXT_CERT_ROOT_CONFIG0 *outboundRootArray;
    };
    IKEEXT_CERT_ROOT_CONFIG0 *outboundEnterpriseStoreConfig;
    IKEEXT_CERT_ROOT_CONFIG0 *outboundTrustedRootStoreConfig;
  };
  UINT32                  flags;
} IKEEXT_CERTIFICATE_AUTHENTICATION0;

Members

inboundConfigType

Certificate configuration type for inbound peer certificate verification.

See IKEEXT_CERT_CONFIG_TYPE for more information.

inboundRootArraySize

Number of elements in the inboundRootArray member.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

inboundRootArray

Explicit trust list for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

inboundEnterpriseStoreConfig

Enterprise store configuration for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

inboundTrustedRootStoreConfig

Trusted root store configuration for verifying the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundConfigType

Certificate configuration type for outbound local certificate verification.

See IKEEXT_CERT_CONFIG_TYPE for more information.

outboundRootArraySize

Number of elements in the outboundRootArray member.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

outboundRootArray

Explicit trust list for selecting a certificate chain to send to the peer.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundEnterpriseStoreConfig

Enterprise store configuration for selecting the certificate chain.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

outboundTrustedRootStoreConfig

Trusted root store configuration for selecting the certificate chain.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ROOT_STORE.

See IKEEXT_CERT_ROOT_CONFIG0 for more information.

flags

A combination of the following values that specifies the certificate authentication characteristics.

IKE/AuthIP certificate authentication flag Meaning
IKEEXT_CERT_AUTH_FLAG_SSL_ONE_WAY
Enable SSL one way authentication.

Applicable only to AuthIP.

IKEEXT_CERT_AUTH_FLAG_DISABLE_CRL_CHECK
Disable CRL checking. By default weak CRL checking is enabled. Weak checking means that a certificate will be rejected if and only if CRL is successfully looked up and the certificate is found to be revoked.
IKEEXT_CERT_AUTH_ENABLE_CRL_CHECK_STRONG
Enable strong CRL checking. Strong checking means that a certificate will be rejected if certificate is found to be revoked, or if any other error (for example, CRL could not be retrieved) takes place while performing the revocation checking.
IKEEXT_CERT_AUTH_DISABLE_SSL_CERT_VALIDATION
SSL validation requires certain EKUs, like server auth EKU from a server. This flag disables the server authentication EKU check, but still performs the other IKE-style certificate verification.

Applicable only to AuthIP.

IKEEXT_CERT_AUTH_ALLOW_HTTP_CERT_LOOKUP
Allow lookup of peer certificate information from an HTTP URL.

Applicable only to IKEv2.

Available only on Windows 7, Windows Server 2008 R2, and later.

IKEEXT_CERT_AUTH_URL_CONTAINS_BUNDLE
Indicates that the URL specified in the certificate authentication policy points to an encoded certificate bundle. If this flag is not specified, IKEv2 will assume that the URL points to an encoded certificate.

Applicable only to IKEv2.

Available only on Windows 7, Windows Server 2008 R2, and later.

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Header iketypes.h

See also

FWP_BYTE_BLOB

IKEEXT_CERT_CONFIG_TYPE

IKEEXT_CERT_ROOT_CONFIG0

Windows Filtering Platform API Structures