Edit

Share via

IKEEXT_CERTIFICATE_AUTHENTICATION2 structure (iketypes.h)

  • Article

The IKEEXT_CERTIFICATE_AUTHENTICATION2 structure is used to specify various parameters for authentication with certificates. IKEEXT_CERTIFICATE_AUTHENTICATION0 is available.

 

Syntax

typedef struct IKEEXT_CERTIFICATE_AUTHENTICATION2_ {
  IKEEXT_CERT_CONFIG_TYPE inboundConfigType;
  union {
    struct {
      UINT32                       inboundRootArraySize;
      IKEEXT_CERTIFICATE_CRITERIA0 *inboundRootCriteria;
    };
    struct {
      UINT32                       inboundEnterpriseStoreArraySize;
      IKEEXT_CERTIFICATE_CRITERIA0 *inboundEnterpriseStoreCriteria;
    };
    struct {
      UINT32                       inboundRootStoreArraySize;
      IKEEXT_CERTIFICATE_CRITERIA0 *inboundTrustedRootStoreCriteria;
    };
  };
  IKEEXT_CERT_CONFIG_TYPE outboundConfigType;
  union {
    struct {
      UINT32                       outboundRootArraySize;
      IKEEXT_CERTIFICATE_CRITERIA0 *outboundRootCriteria;
    };
    struct {
      UINT32                       outboundEnterpriseStoreArraySize;
      IKEEXT_CERTIFICATE_CRITERIA0 *outboundEnterpriseStoreCriteria;
    };
    struct {
      UINT32                       outboundRootStoreArraySize;
      IKEEXT_CERTIFICATE_CRITERIA0 *outboundTrustedRootStoreCriteria;
    };
  };
  UINT32                  flags;
  FWP_BYTE_BLOB           localCertLocationUrl;
} IKEEXT_CERTIFICATE_AUTHENTICATION2;

Members

inboundConfigType

Type: IKEEXT_CERT_CONFIG_TYPE

Certificate configuration type for inbound peer certificate verification.

inboundRootArraySize

Type: UINT32

Number of elements in the inboundRootCriteria member.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

inboundRootCriteria

Type: IKEEXT_CERTIFICATE_CRITERIA0*

List of certificate criteria containing explicit trusted authorities that should be used to verify the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

inboundEnterpriseStoreArraySize

Type: UINT32

Number of elements in the inboundEnterpriseStoreCriteria member.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

inboundEnterpriseStoreCriteria

Type: IKEEXT_CERTIFICATE_CRITERIA0*

List of enterprise store criteria that should be used to verify the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

inboundRootStoreArraySize

Type: UINT32

Number of elements in the inboundTrustedRootStoreCriteria member.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE.

inboundTrustedRootStoreCriteria

Type: IKEEXT_CERTIFICATE_CRITERIA0*

List of trusted root store criteria that should be used to verify the peer certificate chain.

Available when inboundConfigType is IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE.

outboundConfigType

Type: IKEEXT_CERT_CONFIG_TYPE

Certificate configuration type for outbound local certificate verification.

outboundRootArraySize

Type: UINT32

Number of elements in the outboundRootCriteria member.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

outboundRootCriteria

Type: IKEEXT_CERTIFICATE_CRITERIA0*

List of certificate criteria containing explicit trusted authorities that should be used to select the certificate chain that will be sent to the peer.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST.

outboundEnterpriseStoreArraySize

Type: UINT32

Number of elements in the outboundEnterpriseStoreCriteria member.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

outboundEnterpriseStoreCriteria

Type: IKEEXT_CERTIFICATE_CRITERIA0*

List of enterprise store criteria that should be used to select the certificate chain that will be sent to the peer.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_ENTERPRISE_STORE.

outboundRootStoreArraySize

Type: UINT32

Number of elements in the outboundRootStoreArraySize member.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE.

outboundTrustedRootStoreCriteria

Type: IKEEXT_CERTIFICATE_CRITERIA0*

List of trusted root store criteria that should be used to select the certificate chain that will be sent to the peer.

Available when outboundConfigType is IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE.

flags

Type: UINT32

A combination of the following values that specifies the certificate authentication characteristics.

IKE/AuthIP certificate authentication flag Meaning
IKEEXT_CERT_AUTH_FLAG_SSL_ONE_WAY
 Enable SSL one-way authentication.

Applicable only to AuthIP.
IKEEXT_CERT_AUTH_FLAG_DISABLE_CRL_CHECK
Disable CRL checking. By default weak CRL checking is enabled. Weak checking means that a certificate will be rejected if and only if CRL is successfully looked up and the certificate is found to be revoked.
IKEEXT_CERT_AUTH_ENABLE_CRL_CHECK_STRONG
 Enable strong CRL checking. Strong checking means that a certificate will be rejected if certificate is found to be revoked, or if any other error (for example, CRL could not be retrieved) takes place while performing the revocation checking.
IKEEXT_CERT_AUTH_DISABLE_SSL_CERT_VALIDATION
 Disables the SSL server authentication extended key usage (EKU) check. Other types of AuthIP validation are still performed.

Applicable only to AuthIP.
IKEEXT_CERT_AUTH_ALLOW_HTTP_CERT_LOOKUP
 Allow lookup of peer certificate information from an HTTP URL.

Applicable only to IKEv2.
IKEEXT_CERT_AUTH_URL_CONTAINS_BUNDLE
 The URL specified in the certificate authentication policy points to an encoded certificate-bundle. If this flag is not specified, IKEv2 will assume that the URL points to an encoded certificate.

Applicable only to IKEv2.

localCertLocationUrl

Type: FWP_BYTE_BLOB

HTTP URL pointing to an encoded certificate or certificate-bundle, that will be used by IKEv2 for authenticating local machine to a peer.

Applicable only to IKEv2.

Requirements

Requirement Value
Minimum supported client Windows 8 [desktop apps only]
Minimum supported server Windows Server 2012 [desktop apps only]
Header iketypes.h

See also

Windows Filtering Platform API Structures