Partager via


3.2.2.6.2.1.4.4.1 Flags

The following processing rules are applied to flags in this attribute.

Flag

Server processing

0x00000040

CT_FLAG_MACHINE_TYPE

If this flag is set and CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is not set in msPKI-Certificate-Name-Flag (section 3.2.2.6.2.1.4.5.9), and either CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME, CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN, or CT_FLAG_SUBJECT _ALT_REQUIRE_DNS is set in msPKI-Certificate-Name-Flag, the CA MUST require a nonempty value for the dNSHostName attribute of the requestor's computer object in the working directory. For this, the CA MUST invoke the processing rules in section 3.2.2.1.2 with input parameter EndEntityDistinguishedName set equal to the requester's computer object distinguished name and retrieve the dNSHostName attribute from the returned EndEntityAttributes output parameter. Also, the CA MUST use the value to construct the Subject field of the issued certificate. If the value is empty or if the computer object is not found, the CA MUST reject the request. The returned code SHOULD be 0x8009480F (CERTSRV_E_SUBJECT_DNS_REQUIRED).

0x00000080

CT_FLAG_IS_CA

If this flag is set, a CA MUST set the basic constraint extension and key usage extension in the certificate to be issued for the request. Specifications are in [RFC3280] sections 4.2.1.3 and 4.2.1.10.  The CA MUST set the cA field of the Basic Constraints extension to TRUE, and set the pathLenConstraint field as specified in section 3.2.2.6.2.1.4.4.5.

0x00000800

CT_FLAG_IS_CROSS_CA

If this flag is set, a CA MUST set the basic constraint extension and key usage extension in the certificate to be issued for the request. Specifications are in [RFC3280] sections 4.2.1.3 and 4.2.1.10. The CA MUST set the cA field of the Basic Constraints extension to TRUE, and the pathLenConstraint field MUST be set as specified in section 3.2.2.6.2.1.4.4.5.

0x00001000

CT_FLAG_DONOTPERSISTINDB

If this flag is set and if the certificate has been issued, the CA SHOULD NOT persist the information about the request in the Request table that is specified in section 3.2.1.1.1.<118>