Compartir a través de


2.2.2.7.10 szENROLLMENT_NAME_VALUE_PAIR

OID = 1.3.6.1.4.1.311.13.2.1

Internal Name: szOID_ENROLLMENT_NAME_VALUE_PAIR.

Description: Additional attributes that SHOULD be used.

Format: This attribute MUST be a collection of zero or more name-value pairs. The following is the ASN.1 format.

 EnrollmentNameValuePairs ::= SEQUENCE OF EnrollmentNameValuePair
            
 EnrollmentNameValuePair ::= SEQUENCE {
         name                BMPSTRING,
         value               BMPSTRING
 }  --#public

The following table lists all the values that SHOULD be supported by the CA. Processing rules for the supported values for this collection MUST be as specified in section 3.2.1.4.2.1.2.

Note If a value is in quotes, the value must be exactly as the string within the quote. For example, CertType has only a single possible value, "server".

 Name

 Values

 Comments

 Value example

CertType

"server"

This attribute MUST be used along with a Netscape KEYGEN request. It MUST define the type of certificate that the client needs.

server

CertificateUsage

Comma-delimited OIDs

The request OIDs for use in the ExtendedKeyUsage extension, as specified in [RFC3280] section 4.2.1.13.

2.5.29.3, 2.5.43.1

ValidityPeriod

"Seconds" or

 "Minutes" or

 "Hours" or

 "Days" or

 "Weeks" or

 "Months" or

 "Years"

The validity period of the request MUST be defined in two values: number and units. For example, number=3 and units=weeks means that the request is for a certificate that will be valid for 3 weeks.

This value MUST define the units for the validity period.

Weeks

ValidityPeriodUnits

Unsigned integer

This value MUST define the number units used for the validity period. The units are defined in the ValidityPeriod attribute.

3

ExpirationDate

Date and time

This value MUST define the exact request expiration time of the requested certificate in the format defined in section 3.3 of the [RFC2616].<14>

L"Tue, 21 Nov 2000 01:06:53 GMT"

cdc

FQDN

An Active Directory server FQDN.

dcmachine.contoso.com

rmd

FQDN

The requesting machine FQDN.

mymachine.contoso.com

CertificateTemplate

The cn attribute on the Active Directory object that contains the certificate template

This value MUST define the certificate template that was used by the client to construct the certificate request.

ContosoAdministrator

SAN

Name-value collection

This value MUST contain a collection of one or more name-value pairs for the SubjectAltName extension. The format for the internal collection MUST be: "name1=value1&name2=value".

The supported names for this internal name-value collection are:

Guid

Email

FQDN

Dn

url

ipaddress

oid

upn

spn

For all these names, the value MAY be any string.

In addition to these names, the name MAY be any OID. If it is an OID, the value MUST be encoded as defined in the following table.

1.2.3.4=user679

&guid=exampleguid

&oid=4.3.2.1

&email=user679@contoso.com

challenge

Password

This attribute MUST be passed only with a Netscape KEYGEN request format. The value of the attribute MUST be the challenge (password) string associated with the request. For specifications, see section 3.1.1.4.3.1.4.

mypassword

requestername

Domain\account

The identity of the user whose information MUST be used to construct the subject information of an issued certificate. It is used along with a ROBO for a different subject.

Note: Unlike the other attributes in this table, this attribute can be passed only within a request format and cannot be passed using the pwszAttributes parameter.

Contoso\tester

Other (see section 2.2.2.6.4.2 for possible values)

See section 2.2.2.6.4.2 for possible values

A valid RDN string SHOULD be used to pass subject names for a certificate request generated by using the KEYGEN format on a Netscape browser.

US

 certfile

 UNC path

The client requests that the server publish the issued certificate to the Universal Naming Convention (UNC) path that is specified in the value for this attribute.<15>

c:\mycert.cer

RequestId

ULONG

The request ID of the request that is pending the attestation Challenge Response.<16>

1, 158, etc.

When the SAN value in the preceding table, which is a list of name-value pairs, includes an OID as the name, the value of that OID MUST be encoded in one of the formats in the following table. In the following encoding, the format tag (for example, "{asn}") is a literal string.

Possible SAN values.

 Format

 Meaning

 Example¹

{asn}Base64String

The value is any valid base64 text string. The base64 text string is decoded into binary data, which is then used as the OtherName value. The decoded binary data is expected to already be a valid ASN.1 encoded BLOB.

{asn}DApzdHJpbmcxMjM0

{utf8}UTF8String

The value is a text string. The string is ASN.1 encoded into a UTF-8 string and used as the OtherName value.

{utf8}string1234

{octet}Base64String

The value is any valid base64 text string. The base64 text string is decoded into binary. The binary is ASN.1 encoded into an octet string and is used as the OtherName value.

{octet}c3RyaW5nMTIzNA==

{octet}{hex}HexadecimalString

The value is a hexadecimal text string with an even number of digits. The hexadecimal text string is decoded into binary. The binary is ASN.1 encoded into an octet string and is used as the OtherName value.

 {octet}{hex}12 34 56 78 9a bc de f0

{hex}HexadecimalString

The value is a hexadecimal text string with an even number of digits. The hexadecimal text string is decoded into binary and the binary is used as the OtherName value. The decoded binary is expected to already be a valid ASN.1 encoded BLOB.

 {hex}02 02 12 34

The string in the Example column refers to a value equal to "string1234" in any one of the formats supported.

Details about various string encodings are specified in [X690].