3.2.2.6.2.1.4.5.6 msPKI-Enrollment-Flag
The following processing rules are applied to flags in this attribute.
Flag |
Client processing |
---|---|
0x00000001 CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS |
The CA MUST include an S/MIME extension, as specified in [RFC4262], in the issued certificate. |
0x00000002 CT_FLAG_PEND_ALL_REQUESTS |
If this flag is included in the template, the CA MUST return a pending state response for the certificate request and require a CA manager to approve the request before issuing the certificate. |
0x00000004 CT_FLAG_PUBLISH_TO_KRA_CONTAINER |
If this flag is included in the template, the CA MUST publish the certificate to the userCertificate attribute of an object of the class msPKI-Private-Key-Recovery-Agent stored in the "CN=KRA, CN=Public Key Services,CN=Services, CN=Configuration" container in the working directory by invoking the processing rules in section 3.2.2.1.4 with input parameter IssuedCertificate set equal to the issued certificate. The CN of that object MUST be equal to the sanitized short name of the CA. The algorithm for sanitizing names is described in section 3.1.1.4.1.1. |
0x00000008 CT_FLAG_PUBLISH_TO_DS |
If this flag is included in the template, the CA MUST append the issued certificate to the userCertificate attribute, as specified in [RFC4523], of the user object in the working directory by invoking the processing rules in section 3.2.2.1.5 with input parameter IssuedCertificate set equal to the issued certificate and input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name. |
0x00000040 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT |
The CA MUST enforce this flag only for certificate renewal requests and only when the conditions specified in section 3.2.2.6.2.1.4.8 are met. If this flag is set in the template:
|
0x00001000 CT_FLAG_ADD_OCSP_NOCHECK |
If this flag is set and the following are all true:
The CA SHOULD NOT include the OIDs szOID_AUTHORITY_INFO_ACCESS (1.3.6.1.5.5.7.1.1, id-pe-authorityInfoAccess) and szOID_CRL_DIST_POINTS (2.5.29.31, id-ce-cRLDistributionPoints) extensions and SHOULD add a NULL value extension with the OID szOID_PKIX_OCSP_NOCHECK (1.3.6.1.5.5.7.48.1.5, id-pkix-ocsp-nocheck) to the issued certificate.<119> |
0x00004000 CT_FLAG_NOREVOCATIONINFOINISSUEDCERTS |
If this flag is set the CA SHOULD NOT include entries from the Config_CA_OCSP_Include_In_Cert list in the OID szOID_AUTHORITY_INFO_ACCESS (1.3.6.1.5.5.7.1.1, id-pe-authorityInfoAccess) extension of the issued certificate and SHOULD NOT include the OID szOID_CRL_DIST_POINTS (2.5.29.31, id-ce-cRLDistributionPoints) extension in the issued certificate.<120> |
0x00008000 CT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS |
If this flag is set, the CA SHOULD add a Basic Constraints extension (as specified in [RFC3280] section 4.2.1.10) to the certificate and set the cA field to FALSE. The CA SHOULD NOT include the pathLenConstraint field in the Basic Constraints extension.<121> |
0x00010000 CT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLMENT |
The CA MUST enforce this flag only for certificate renewal requests when the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT and CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flags are also set. If this flag is set on the template, the CA SHOULD NOT enforce the processing rules specified in section 3.2.2.6.2.1.4.3.<122> |
0x00020000 CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST |
If this flag is set the CA SHOULD apply special processing rules to the msPKI-Certificate-Policy attribute as specified in section 3.2.2.6.2.1.4.5.8.<123> |