Partager via


3.1.1.10 Configuration Data

The CA MUST maintain the following ADM elements.<11> Certificate Services Remote Administration Protocol server implementations that also implement the Windows Client Certificate Enrollment Protocol or the ICertPassage Remote Protocol use the same configuration data elements, defined here, for those implementations. If either Windows Client Certificate Enrollment Protocol or ICertPassage Remote Protocol or both are also implemented, access to the configuration data elements from either or both of these protocols SHOULD be serialized.

Config_CA_KRA_Cert_List: An indexed list of KRA certificates shared from the Config_CA_KRA_Cert_List list as defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_KRA_Cert_Count: A numeral shared from the Config_CA_KRA_Cert_Count element defined in [MS-WCCE] section 3.2.1.1.4.

Config_Configuration_Directory: A UNC path shared from the Config_Configuration_Directory path defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Parent_DNS: An FQDN of the parent CA, shared from the Config_CA_Parent_DNS element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Role_Separation: An indicator of role separation state, shared from the Config_CA_Role_Separation element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Exchange_Cert: A list of SHA-1 hash values of all currently valid CA exchange certificates, shared from the Config_CA_Exchange_Cert element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_CDP_Publish_To_Base: A list of one or more CRL publishing locations, shared from the list Config_CA_CDP_Publish_To_Base [MS-WCCE] section 3.2.1.1.4. The format requirements for each list value are specified in section 3.1.1.8.

Config_CA_CDP_Publish_To_Delta: A list of one or more delta CRL publishing locations, shared from the list Config_CA_CDP_Publish_To_Delta defined in [MS-WCCE] section 3.2.1.1.4. The format requirements for each list value are specified in section 3.1.1.8.

Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension: A list of one or more CRL publishing locations, shared from the list Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension defined in [MS-WCCE] section 3.2.1.1.4. The format requirements for each list value are specified in section 3.1.1.8.

Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension: A list of one or more delta CRL publishing locations, shared from the list Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension defined in [MS-WCCE] section 3.2.1.1.4. The format requirements for each list value are specified in section 3.1.1.8.

Config_CA_CDP_Include_In_CRL_IDP_Extension: A list of one or more CRL publishing locations, shared from the list Config_CA_CDP_Include_In_CRL_IDP_Extension defined in [MS-WCCE] section 3.2.1.1.4. The format requirements for each list value are specified in section 3.1.1.8.

Config_CA_CDP_Include_In_Cert: A list shared from the Config_CA_CDP_Include_In_Cert list defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_AIA_Include_In_Cert: A list shared from the Config_CA_CDP_Include_In_Cert list defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_OCSP_Include_In_Cert: A list shared from the Config_CA_OCSP_Include_In_Cert list defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Policy_Algorithm_Implementation: The name of the policy algorithm, shared from the Config_CA_Policy_Algorithm_Implementation element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Exit_Algorithm_Implementation_List: A list of names of the exit algorithms, shared from the list Config_CA_Exit_Algorithm_Implementation_List defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Exit_Count: A numeral shared from the Config_CA_Exit_Count element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Accept_Request_Attributes_ValidityTime: A Boolean value shared from the Config_CA_Accept_Request_Attributes_ValidityTime element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Accept_Request_Attributes_Extensions: A Boolean value shared from the Config_CA_Accept_Request_Attributes_Extensions element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Accept_Request_Attributes_SAN: A Boolean value shared from the Config_CA_Accept_Request_Attributes_SAN element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Accept_Request_Attributes_Other: A Boolean value shared from the Config_CA_Accept_Request_Attributes_Other element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Accept_Request_Attributes_CertPath: A Boolean value shared from the Config_CA_Accept_Request_Attributes_CertPath element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Allow_RenewOnBehalfOf_Requests: A Boolean value shared from the Config_CA_Allow_RenewOnBehalfOf_Requests element defined in [MS-WCCE] section 3.2.1.1.4,<12>

Config_CA_Requests_Disposition: A 4-byte integer value shared from the Config_CA_Requests_Disposition element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Audit_Filter: The list of, at most, 32 events for which the CA server will create local security audit log entries. Filter values are defined in 3.1.4.2.10.

Config_CA_CACert_Publish_To: The list of locations to which the CA will publish its own certificate.

Config_CA_Common_Name: A null-terminated UNICODE string that contains the name of the CA.

Config_CA_Interface_Flags: A set of flags, shared from the Config_CA_Interface_Flags element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_KRA_Flags: A set of flags that implementers can use to affect server behavior.

Config_Product_Version: A numeral or series of numerals, shared with the Config_Product_Version element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_Type: A CA type as defined in [MS-WCCE] section 2.2.2.4 as CAType.

Config_CA_Use_DS: A numeral that indicates whether the CA uses Active Directory for CRL publishing or not. A value of 1 or greater means Active Directory is used. A value of 0 means it is not used.

Config_CSP_CNG_Hash_Algorithm: A string that contains the name of the Hash algorithm used by the CA.

Config_CSP_Hash_Algorithm: A numeral that identifies the Hash algorithm used by the CA.

Config_CSP_Provider: The name of the cryptographic service provider (CSP) used by the CA.

Config_CSP_ProviderType: A numeral that indicates the type of CSP used by the CA.

Config_Setup_Status: A numeral that indicates the current status of the CA installation, for example whether it is complete.

Config_CA_DN_Order_String: A string, shared from the Config_CA_DN_Order_String element defined in [MS-WCCE] section 3.2.1.1.4.

Config_CA_CRL_Next_Publish: The CERTTIME value of the timer specified in section 3.1.2.1.1 that indicates the next time the CA will publish base CRLs. This element is updated by the PublishCRL and PublishCRLs methods.

Config_CA_CRL_Delta_Next_Publish: The CERTTIME value of the timer specified in section 3.1.2.1.2 that indicates the next time the CA will publish delta CRLs. This element is updated by the PublishCRL and PublishCRLs methods.

Config_CA_CRL_Attempt_Republish: This data element is a non-negative integer that, by its value, indicates:

Whether or not the server will attempt to republish CRLs.

If the value is 0 or is greater than or equal to 10, no retries will happen. If the value is greater than 0 and less than 10, then retries will happen.

How many previous unsuccessful attempts to publish CRLs have occurred since the last regularly scheduled CRL publishing attempt (including the last regularly scheduled publishing attempt, if that attempt was unsuccessful).

Config_CA_LDAP_Flags: This data element has two possible values:

0 means that port 389 will be used when opening an Active Directory connection to publish CRLs to ldap:/// locations.

1 means that port 636 will be used when opening an Active Directory connection to publish CRLs to ldap:/// locations.

Config_High_Serial_Number: A 4-byte integer, shared with the Config_High_Serial_Number element defined in [MS-WCCE] section 3.2.1.1.4, that is used in generating certificate serial numbers.

Config_High_Serial_String: A string value, shared with the Config_High_Serial_String element defined in [MS-WCCE] section 3.2.1.1.4 that is used in generating certificate serial numbers.

Config_Max_Number_Of_AD_Connections: A 4-byte integer that indicates the maximum number of cached ADConnection handles.

Config_AD_Connection_Referral: A flag that indicates whether referral option for ADConnection is set to TRUE.

Config_Hardware_Key_List_Directories: A list of strings, each one a UNC or local file path to a folder that contains empty files. Each file name is the SHA2 hash, as a hexadecimal string with no spaces, of a hardware key trusted by the CA for key attestation by public key. The CA has read access to this location.

Config_CertificateTransparency_Enabled: A flag that indicates whether Certificate Transparency processing is enabled at the server. Defaults to False.<13>

Config_CertificateTransparency_Disable_SCTList_Validation: A flag that indicates whether syntactical validation of the SignedCertificateTimestampList is performed at the server. Defaults to False.

Config_CertificateTransparency_Max_SCTList_Size: A 4-byte integer that indicates the maximum size of the SignedCertificateTimestampList in bytes. Defaults to 1024.

Config_CertificateTransparency_Info_Extension_Oid: A string value that the CA sets for the SignedCertificateTimestampList extension in the issued certificate. Defaults to OID (2) szOID_CT_CERT_SCTLIST (1.3.6.1.4.1.11129.2.4.2) [RFC6962].

Each element defined below as "OnNextRestart_Config_Element_Name" will lend its value to the corresponding data element "Config_Element_Name" upon next CA restart.

The "OnNextRestart_..." element's value is available to the method GetConfigEntry at any time, regardless of CA restart.

Any configuration elements defined above that do not have corresponding values defined below always have equivalent on-disk values (available to GetConfigEntry) and in-memory values (used by CA).

OnNextRestart_Config_Max_Number_Of_AD_Connections: The value the Config_Max_Number_Of_AD_Connections data element will attain on next CA restart.

OnNextRestart_Config_AD_Connection_Referral: The value the Config_AD_Connection_Referral data element will attain on next CA restart.

OnNextRestart_Config_Permissions_CA_Security: The value the Config_Permissions_CA_Security data element will attain on next CA restart.

OnNextRestart_Config_Setup_Status: The value the Config_Setup_Status data element will attain on next CA restart.

OnNextRestart_Config_CA_Use_DS: The value the Config_CA_Use_DS data element will attain on next CA restart.

OnNextRestart_Config_CA_Type: The value the Config_CA_Type data element will attain on next CA restart.

OnNextRestart_Config_CA_KRA_Flags: The value the Config_CA_KRA_Flags data element will attain on next CA restart.

OnNextRestart_Config_Product_Version: The value the Config_Product_Version data element will attain on next CA restart.

OnNextRestart_Config_CA_Common_Name: The value the Config_CA_Common_Name data element will attain on next CA restart.

OnNextRestart_Config_CA_Interface_Flags: The value the Config_CA_Interface_Flags data element will attain on next CA restart.

OnNextRestart_Config_CSP_Provider: The value the Config_CSP_Provider data element will attain on next CA restart.

OnNextRestart_Config_CSP_ProviderType: The value the Config_CSP_ProviderType data element will attain on next CA restart.

OnNextRestart_Config_CSP_Hash_Algorithm: The value the Config_CSP_Hash_Algorithm data element will attain on next CA restart.

OnNextRestart_Config_CSP_CNG_Hash_Algorithm: The value the Config_CSP_CNG_Hash_Algorithm data element will attain on next CA restart.

OnNextRestart_Config_CA_CRL_Next_Publish: The value the Config_CA_CRL_Next_Publish data element will attain upon next CA restart. This element is updated by, but not read by, the CA's PublishCRL and PublishCRLs methods.

OnNextRestart_Config_CA_CRL_Delta_Next_Publish: The value the Config_CA_CRL_Delta_Next_Publish data element will attain on next CA restart. This element is updated by, but not read by, the CA's PublishCRL and PublishCRLs methods.

OnNextRestart_Config_CA_Audit_Filter: The value the Config_CA_Audit_Filter data element will attain on next CA restart.

OnNextRestart_Config_CA_Policy_Algorithm_Implementation: The value the Config_CA_Policy_Algorithm_Implementation data element will attain on next CA restart.

OnNextRestart_Config_CA_Exit_Algorithm_Implementation_List: The value the Config_CA_Exit_Algorithm_Implementation_List data element will attain on next CA restart.

OnNextRestart_Config_CA_CDP_Publish_To_Base: The value the Config_CA_CDP_Publish_To_Base data element will attain on next CA restart.

OnNextRestart_Config_CA_CDP_Publish_To_Delta: The value the Config_CA_CDP_Publish_To_Delta data element will attain on next CA restart.

OnNextRestart_Config_CA_CDP_Include_In_Cert: The value the Config_CA_CDP_Include_In_Cert data element will attain on next CA restart.

OnNextRestart_Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension: The value the Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension data element will attain on next CA restart.

OnNextRestart_Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension: The value the Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension data element will attain on next CA restart.

OnNextRestart_Config_CA_CDP_Include_In_CRL_IDP_Extension: The value the Config_CA_CDP_Include_In_CRL_IDP_Extension data element will attain on next CA restart.

OnNextRestart_Config_CA_AIA_Include_In_Cert: The value the Config_CA_AIA_Include_In_Cert data element will attain on next CA restart.

OnNextRestart_Config_CA_CACert_Publish_To: The value the Config_CA_CACert_Publish_To data element will attain on next CA restart.

OnNextRestart_Config_CA_OCSP_Include_In_Cert: The value the Config_CA_OCSP_Include_In_Cert data element will attain on next CA restart.

OnNextRestart_Config_CA_LDAP_Flags: The value that the Config_CA_LDAP_Flags data element will attain on next CA restart.

OnNextRestart_Config_High_Serial_Number: The value the Config_High_Serial_Number data element will attain on next CA restart.

OnNextRestart_Config_High_Serial_String: The value the Config_High_Serial_String data element will attain on next CA restart.

OnNextRestart_Config_CA_CRL_Attempt_Republish: The value the Config_CA_CRL_Attempt_Republish data element will attain on next CA restart.

OnNextRestart_Config_CA_Requests_Disposition: The value of the Config_CA_Requests_Disposition data element will attain on next CA restart.