Partager via


3.2.1.4.2.1.4.7 Constructing Certificate

The CA SHOULD add required certificate fields to the certificate as specified in [RFC3280]. This specification does not guarantee serial number uniqueness and that deviates from [RFC3280] section 4.1.2.2. The serial number SHOULD be generated as specified in section 3.2.1.4.2.1.4.6.

The CA MUST NOT issue a certificate that does not have at least subject name or SAN extension. If after processing the certificate request the CA does not have information to be encoded in subject name or SAN extension, the CA MUST return 0x80094001 (CERTSRV_E_BAD_REQUESTSUBJECT) to the client.

The CA MUST set the notBefore field equal to the current time minus the value of the Config_CA_Clock_Skew_Minutes data.

The CA also MUST add the following extensions:

  • CRL Distribution Point (CDP) Extension

    This extension is described in [RFC3280], section 4.2.1.14. The CA MUST construct this extension in the following manner:

    • The cRLDistributionPoint MUST consist of a single instance of the DistributionPoint.

    • The DistributionPoint MUST have distributionPoint field set with the fullName containing all entries from the Config_CA_CDP_Include_In_Cert data.

  • If Config_CA_AIA_Include_In_Cert or Config_CA_OCSP_Include_In_Cert lists are not empty, the CA MUST add the AIA Extension.

    This extension is described in [RFC3280], section 4.2.2.1. The CA MUST construct this extension in the following manner:

    • The AuthorityInfoAccessSyntax MUST consist of a sequence of AccessDescription elements corresponding to each item in the Config_CA_AIA_Include_In_Cert and Config_CA_OCSP_Include_In_Cert lists.

    • For the items from the Config_CA_AIA_Include_In_Cert list, the accessMethod field of the AccessDescription structure MUST be set to the OID szOID_PKIX_CA_ISSUERS (1.3.6.1.5.5.7.48.2, id-ad-caIssuers).

    • For the items from the Config_CA_OCSP_Include_In_Cert list, the accessMethod field of the AccessDescription structure MUST be set to the OID szOID_PKIX_OCSP (1.3.6.1.5.5.7.48.1, id-ad-ocsp).