2.2.2.7.10 szENROLLMENT_NAME_VALUE_PAIR
OID = 1.3.6.1.4.1.311.13.2.1
Internal Name: szOID_ENROLLMENT_NAME_VALUE_PAIR.
Description: Additional attributes that SHOULD be used.
Format: This attribute MUST be a collection of zero or more name-value pairs. The following is the ASN.1 format.
-
EnrollmentNameValuePairs ::= SEQUENCE OF EnrollmentNameValuePair EnrollmentNameValuePair ::= SEQUENCE { name BMPSTRING, value BMPSTRING } --#public
The following table lists all the values that SHOULD be supported by the CA. Processing rules for the supported values for this collection MUST be as specified in section 3.2.1.4.2.1.2.
Note If a value is in quotes, the value must be exactly as the string within the quote. For example, CertType has only a single possible value, "server".
|
Name |
Values |
Comments |
Value example |
|---|---|---|---|
|
CertType |
"server" |
This attribute MUST be used along with a Netscape KEYGEN request. It MUST define the type of certificate that the client needs. |
server |
|
CertificateUsage |
Comma-delimited OIDs |
The request OIDs for use in the ExtendedKeyUsage extension, as specified in [RFC3280] section 4.2.1.13. |
2.5.29.3, 2.5.43.1 |
|
ValidityPeriod |
"Seconds" or "Minutes" or "Hours" or "Days" or "Weeks" or "Months" or "Years" |
The validity period of the request MUST be defined in two values: number and units. For example, number=3 and units=weeks means that the request is for a certificate that will be valid for 3 weeks. This value MUST define the units for the validity period. |
Weeks |
|
ValidityPeriodUnits |
Unsigned integer |
This value MUST define the number units used for the validity period. The units are defined in the ValidityPeriod attribute. |
3 |
|
ExpirationDate |
Date and time |
This value MUST define the exact request expiration time of the requested certificate in the format defined in section 3.3 of the [RFC2616].<14> |
L"Tue, 21 Nov 2000 01:06:53 GMT" |
|
cdc |
An Active Directory server FQDN. |
dcmachine.contoso.com |
|
|
rmd |
FQDN |
The requesting machine FQDN. |
mymachine.contoso.com |
|
CertificateTemplate |
The cn attribute on the Active Directory object that contains the certificate template |
This value MUST define the certificate template that was used by the client to construct the certificate request. |
ContosoAdministrator |
|
SAN |
Name-value collection |
This value MUST contain a collection of one or more name-value pairs for the SubjectAltName extension. The format for the internal collection MUST be: "name1=value1&name2=value". The supported names for this internal name-value collection are: Guid FQDN Dn url ipaddress oid upn spn For all these names, the value MAY be any string. In addition to these names, the name MAY be any OID. If it is an OID, the value MUST be encoded as defined in the following table. |
1.2.3.4=user679 &guid=exampleguid &oid=4.3.2.1 &email=user679@contoso.com |
|
challenge |
Password |
This attribute MUST be passed only with a Netscape KEYGEN request format. The value of the attribute MUST be the challenge (password) string associated with the request. For specifications, see section 3.1.1.4.3.1.4. |
mypassword |
|
requestername |
Domain\account |
The identity of the user whose information MUST be used to construct the subject information of an issued certificate. It is used along with a ROBO for a different subject. Note: Unlike the other attributes in this table, this attribute can be passed only within a request format and cannot be passed using the pwszAttributes parameter. |
Contoso\tester |
|
Other (see section 2.2.2.6.4.2 for possible values) |
See section 2.2.2.6.4.2 for possible values |
A valid RDN string SHOULD be used to pass subject names for a certificate request generated by using the KEYGEN format on a Netscape browser. |
US |
|
certfile |
UNC path |
The client requests that the server publish the issued certificate to the Universal Naming Convention (UNC) path that is specified in the value for this attribute.<15> |
c:\mycert.cer |
|
RequestId |
ULONG |
The request ID of the request that is pending the attestation Challenge Response.<16> |
1, 158, etc. |
When the SAN value in the preceding table, which is a list of name-value pairs, includes an OID as the name, the value of that OID MUST be encoded in one of the formats in the following table. In the following encoding, the format tag (for example, "{asn}") is a literal string.
Possible SAN values.
|
Format |
Meaning |
Example¹ |
|---|---|---|
|
{asn}Base64String |
The value is any valid base64 text string. The base64 text string is decoded into binary data, which is then used as the OtherName value. The decoded binary data is expected to already be a valid ASN.1 encoded BLOB. |
{asn}DApzdHJpbmcxMjM0 |
|
{utf8}UTF8String |
The value is a text string. The string is ASN.1 encoded into a UTF-8 string and used as the OtherName value. |
{utf8}string1234 |
|
{octet}Base64String |
The value is any valid base64 text string. The base64 text string is decoded into binary. The binary is ASN.1 encoded into an octet string and is used as the OtherName value. |
{octet}c3RyaW5nMTIzNA== |
|
{octet}{hex}HexadecimalString |
The value is a hexadecimal text string with an even number of digits. The hexadecimal text string is decoded into binary. The binary is ASN.1 encoded into an octet string and is used as the OtherName value. |
{octet}{hex}12 34 56 78 9a bc de f0 |
|
{hex}HexadecimalString |
The value is a hexadecimal text string with an even number of digits. The hexadecimal text string is decoded into binary and the binary is used as the OtherName value. The decoded binary is expected to already be a valid ASN.1 encoded BLOB. |
{hex}02 02 12 34 |
The string in the Example column refers to a value equal to "string1234" in any one of the formats supported.
Details about various string encodings are specified in [X690].