Freigeben über


3.2.1.1.4 Configuration List

The following list contains configuration data for the CA. Server implementations that also implement the Certificate Services Remote Administration protocol specified in [MS-CSRA] or the ICertPassage Remote Protocol specified in [MS-ICPR] use the same configuration data elements, defined here as "public", for those implementations. If either Certificate Services Remote Administration Protocol or ICertPassage Remote Protocol or both are also implemented, access to the configuration list from either or both of these protocols SHOULD be serialized.

Data name

Data description

Config_CA_KRA_Cert_List (Public)

An indexed list of KRA certificates.

Config_CA_KRA_Cert_Count (Public)

The minimum amount of valid KRA certificates required to archive a key.

Config_SKU

Data that specifies the operating system SKU.

Possible values are Advanced_SKU and Standard_SKU.<68>

Config_Configuration_Directory (Public)

A UNC path that can be used to publish server data.

Config_Max_Property_ID

An integer that defines the greatest number that a client can pass in the PropID parameter of the GetCAProperty method.

Config_FQDN

The fully qualified domain name (FQDN) of the machine hosting the CA service.

Config_CA_Role_Separation (Public)

Indicates the role separation state.

Possible values are as follows:

Role_Separation_Enabled Role_Separation_Disable

Config_CA_Parent_DNS (Public)

The FQDN of the parent CA.

Config_CA_Exchange_Cert (Public)

List of SHA-1 hash values of all currently valid CA exchange certificates used to protect private keys in certificate requests.

Current_CA_Exchange_Cert

x.509 certificate that is the current CA exchange certificate.

Store_CA_Exchange_Cert

List of x.509 certificates that is the current set of valid CA exchange certificates.

Config_CA_CDP_Publish_To_Base (Public)

A list of one or more CRL Publishing Locations to which the CA is configured to publish base CRLs. This data is used in [MS-CSRA].

Config_CA_CDP_Publish_To_Delta (Public)

A list of one or more CRL Publishing Locations to which the CA is configured to publish delta CRLs. This data is used in [MS-CSRA].

Config_CA_CDP_Include_In_Cert (Public)

The list of strings to be added as UNC paths into the CDP extension of all certificates issued, with the key associated with the certificate in the CASigningCert column. CDP is specified in [RFC3280] section 4.2.1.14.

Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension (Public)

A list of one or more CRL Publishing Locations that will be included in the Published CRL Locations custom extension of CRLs created by the CA. This data is used in [MS-CSRA].

Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension (Public)

A list of one or more delta CRL Publishing Locations that will be included in the freshest CRL extension of base CRLs created by the CA. This data is used in [MS-CSRA].

Config_CA_CDP_Include_In_CRL_IDP_Extension (Public)

A list of one or more CRL Publishing Locations that will be included in the Issuing Distribution Point CRL extension of CRLs created by the CA. This data is used in [MS-CSRA].

Config_CA_AIA_Include_In_Cert (Public)

The list of strings to be added as UNC paths into the AIA extension of all certificates issued, with the key associated with the certificate in the CASigningCert column. AIA is specified in [RFC3280] section 4.2.2.1.

Config_CA_OCSP_Include_In_Cert (Public)

The list of strings to be added as OCSP paths into the (Authority Information Access) AIA extension of all certificates issued, with the key associated with the certificate in the CASigningCert column. The Online Certificate Status Protocol (OCSP) UNC path is specified in [RFC2560] section 4.2.2.1.

Config_File_Version

Stores information on the CA service file.

Config_Product_Version (Public)

Stores information on the product hosting the CA service.

Config_Database_View_Open (Public)

Indicates whether a caller has opened a view to the database. This data has two possible values: True and False. This data is used by methods specified in [MS-CSRA].

Config_Permissions_CA_Security (Public)

A list of administrator-defined rights of designated principals to administer the CA. The CA security information is configured with the SetCASecurity method and retrieved with the GetCASecurity method specified in [MS-CSRA].

Config_Permissions_Officer_Rights (Public)

A list of administrator-defined rights possessed by each CA officer to approve certificate requests associated with a given set of principles. Officer rights are set with the SetOfficerRights method and retrieved with the GetOfficerRights method specified in [MS-CSRA].

Config_Permissions_Enrollment_Agent_Rights (Public)

A list of administrator-defined rights possessed by each enrollment agent (EA) to obtain a certificate, with subject information pertaining to a different principal, from a CA. Enrollment agent is not one of the roles defined in [CIMC-PP]. Like Officer rights, Enrollment Agent rights are set with the SetOfficerRights method and retrieved with the GetOfficerRights method specified in [MS-CSRA].

Config_Base_CRL_Validity_Period (Public)

Contains the validity period of the base CRL.

Config_Base_CRL_Overlap_Period (Public)

Contains the overlap period of the base CRL.

Config_Delta_CRL_Validity_Period (Public)

Contains the validity period of a delta CRL.

Config_Delta_CRL_Overlap_Period (Public)

Contains the overlap period of a delta CRL.

Config_CA_Policy_Algorithm_Implementation (Public)

Information on the algorithm that implements the CA policy algorithm.

Config_CA_Exit_Algorithm_Implementation_List (Public)

Information on the algorithms that implement the CA exit algorithm.

Config_CA_Exit_Count (Public)

The number of exit algorithms registered on the CA.

Config_CA_Exit_Description_List

An indexed list that contains a description for all registered CA exit algorithms.

Config_CA_Policy_Description

A string that describes the CA policy algorithm.

Config_CA_Accept_Request_Attributes_ValidityTime (Public)

A Boolean value that indicates whether the CA accepts request attributes that specify the validity time for the certificate being requested.

Config_CA_Accept_Request_Attributes_Extensions (Public)

A Boolean value that indicates whether the CA accepts request attributes that specify certificate enhanced key usage (EKU) extensions to be added to the certificate being requested.

Config_CA_Accept_Request_Attributes_SAN (Public)

A Boolean value that indicates whether the CA accepts request attributes that specify the subject alternative name for the certificate being requested.

Config_CA_Accept_Request_Attributes_Other (Public)

A Boolean value that indicates whether the CA accepts 'Other' request attribute specified in section 2.2.2.7.10.

Config_CA_Accept_Request_Attributes_CertPath (Public)

A Boolean value that indicates whether the CA accepts request attributes that specify the subject name for the certificate being requested.

Config_CA_Clock_Skew_Minutes (Public)

Contains the number of minutes used in CA calculations to account for differences in system time across machines.

Config_CA_No_OCSP_Revocation_Check

A Boolean flag that indicates whether the CA honors the CT_FLAG_ADD_OCSP_NOCHECK flag of the certificate template, as specified in section 3.2.2.6.2.1.4.5.6.

Config_CA_Allow_RenewOnBehalfOf_Requests (Public)

A Boolean flag that indicates whether the CA allows requests as specified in section 3.2.2.6.2.1.2.4.

Config_CA_Interface_Flags (Public)

A set of flags which implementers can use to affect server behavior.

The defined values are as follows:

IF_NOREMOTEICERTREQUEST: The CA will not issue any certificates or hold pending any requests for remote users.

IF_NOLOCALICERTREQUEST: The CA will not issue any certificates or hold pending any requests for local users.

IF_NORPCICERTREQUEST: The CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface, as specified in [MS-ICPR] section 3.2.4.1.

IF_NOREMOTEICERTADMIN: No access to CSRA methods for remote callers.

IF_NOLOCALICERTADMIN: No access to CSRA methods for local callers.

IF_NOREMOTEICERTADMINBACKUP: The CA restricts access to the backup-related methods of this protocol for remote callers.

IF_NOLOCALICERTADMINBACKUP: The CA restricts access to the backup-related methods of this protocol for local callers.

IF_NOSNAPSHOTBACKUP: The database files cannot be backed up using a mechanism other than the methods of this interface.

IF_ENFORCEENCRYPTICERTREQUEST: RPC_C_AUTHN_LEVEL_PKT_PRIVACY, as defined in [MS-RPCE] section 2.2.1.1.8, is to be defined for all RPC connections to the server for certificate-request operations.

IF_ENFORCEENCRYPTICERTADMIN: RPC_C_AUTHN_LEVEL_PKT_PRIVACY, as defined in [MS-RPCE] section 2.2.1.1.8, is to be defined for all RPC connections to the server for certificate administrative operations (the methods defined in this interface).

IF_ENABLEEXITKEYRETRIEVAL: Enables an exit algorithm to retrieve the Encrypted private-Key Blob.

IF_ENABLEADMINASAUDITOR: Only CA administrators can update the CA audit filter settings.

Config_High_Serial_Number (Public)

A 4-byte integer used in generating certificate serial numbers. See section 3.2.1.4.2.1.4.6 about how certificate serial numbers are generated.

Config_High_Serial_String (Public)

A string value used in generating certificate serial numbers. See section 3.2.1.4.2.1.4.6 about how certificate serial numbers are generated.

Config_CA_Requests_Disposition (Public)

A 4-byte integer that indicates whether the CA sets all requests to pending, accepts all requests, or denies all requests. The value is the bitwise OR of the following:

  • 0x00000100 (REQDISP_PENDINGFIRST): The CA MUST set all certificate requests to pending.

  • 0x00000001 (REQDISP_ISSUE): The CA MUST issue all certificate requests.

  • 0x00000002 (REQDISP_DENY): The CA MUST deny all certificate requests.

Config_CA_LDAP_Flags

A 1-byte integer that indicates which port is used for connecting to LDAP servers and whether to sign the requests sent to the LDAP server or not. The value is the bitwise OR of the following:

  • 0x00000001(LDAPF_SSLENABLE): The CA MUST connect to SSL port of the LDAP server.

  • 0x00000002 (LDAPF_SIGNDISABLE): The CA MUST NOT sign the requests sent to LDAP server.

Config_Disable_LDAP_Sign_Encrypt

A flag that indicates whether LDAP queries for CRL retrievals will be signed and encrypted or not.

Config_Max_Number_Of_AD_Connections

A 4-byte integer that indicates the maximum number of cached ADConnection handles.

Config_AD_Connection_Referral

A flag that indicates whether the referral option for ADConnection is set to TRUE.

Config_Hardware_Key_List_Directories (Public)

A list of zero or more UNC or local file paths, each pointing to a folder that contains a 0-size file where the name of the file is the SHA2 hash of the trust module public key. The CA has read access to this location. See also [MS-CSRA] section 3.1.1.10.

Config_CA_DN_Order_String

A string value that the CA follows to order the RelativeDistinguishedName in the subject as specified in section 3.2.1.4.3.2.45.

Config_CertificateTransparency_Enabled

A flag that indicates whether Certificate Transparency processing is enabled at the server. The default value is FALSE (not enabled).

Config_CertificateTransparency_Disable_SCTList_Validation

A flag that indicates whether syntactical validation of the SignedCertificateTimestampList is validated at the server. The default value is FALSE (not validated).

Config_CertificateTransparency_Max_SCTList_Size

A 4-byte integer that indicates the maximum size of the SignedCertificateTimestampList, in bytes. The default value is 1024.

Config_CertificateTransparency_Info_Extension_Oid

A string value that the CA sets for the SignedCertificateTimestampList extension in the issued certificate. The default value is OID szOID_CT_CERT_SCTLIST (1.3.6.1.4.1.11129.2.4.2) [RFC6962].

Config_PreSignCert_Enabled

A flag that indicates whether Certificate Pre-sign processing is enabled at the server. The default value is FALSE (not enabled).

Signing_Dummy_Private_Key

Contains the dummy private key generated with the same public key algorithm  and key size as the private key of the current CA signing certificate, as specified in section 3.2.1.1.2.