3.2.1.4.2.1.2 Parsing and Verifying pwszAttributes

The CA MUST parse the [UNICODE] string that is passed in the pwszAttributes parameter. The string MUST be a combination of one or more lines separated by '\n'. Each line MUST have the attribute name token, a ':' separator, and the value token.

A line that contains invalid syntax or a missing token MUST be ignored by the CA. Blanks and minus signs before the separator on each line MUST be removed by the receiving CA, even if they appear before or within the name string. Blanks that occur before or after the value string MUST be removed; however, blanks within the value string can remain.

A list of actions follows, which the CA MUST perform for each of the supported attributes. This list contains supported attributes and sample values:

  • SAN:type_1=value1[&type_N=value_N]

    • Processing: If the Config_CA_Accept_Request_Attributes_SAN data is set to false, the CA MUST ignore this attribute. If the Config_CA_Accept_Request_Attributes_SAN data is set to true, the CA MUST use the values that are defined in this attribute to construct the SubjectAltName in the issued certificate. SubjectAltName MUST be constructed with one or more values specified in the GeneralName structure in [RFC3280] section 4.2.1.7. The CA MUST map the attribute value to a supported type in the GeneralName structure. This attribute supports multiple values separated by the '&' character and prepended by their type and '=' character. The mapping MUST be as illustrated in the following examples:

      • Email=sample@contoso.com is mapped to the rfc822Name that has the sample@contoso.com value.

      • Dns=contoso.com is mapped to a FQDN that has the contoso.com value.

      • dn=CN=xxx,OU=xxx,DC=xxx is mapped to a directoryName that has a value of CN=xxx,OU=xxx,DC=xxx.

      • url=http://adatum.com/default.html is mapped to a uniformResourceIdentifier that has a value of http://adatum.com/default.html.

      • ipaddress=172.134.10.134 is mapped to the IPAddress that has the 172.134.10.134 value.

      • upn=sample@cpandl.com is mapped to the otherName that has an OID szOID_NT_PRINCIPAL_NAME (1.3.6.1.4.1.311.20.2.3) and a value of sample@cpandl.com that is encoded as a UTF-8 string.

      • oid=2.1.3.3.2 is mapped to the registeredID that has the 2.1.3.3.2 value.

      • guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39 is mapped to the otherName that has an OID szOID_NTDS_REPLICATION (1.3.6.1.4.1.311.25.1) and a value of f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39 that is encoded as an octet string.

      • 1.2.3.4=contoso. The name of this token can be any OID (in this example 1.2.3.4). It is mapped to an otherName structure that has the OID 1.2.3.4. The format for the value uses an octet string for the OID and contoso for the value that is encoded as an octet string.

        Note The otherName structure is as specified in [RFC3280] section 4.2.1.7. The otherName structure includes an OID and a value.

  • CertificateUsage:OID,OID

    • Processing: If the Config_CA_Accept_Request_Attributes_Extensions data is set to true, the CA MUST use the OIDs that are passed with this value to construct the ExtendedKeyUsage extension in the issued certificate. The ExtendedKeyUsage extension is specified in [RFC3280] section 4.2.1.13. If the Config_CA_Accept_Request_Attributes_Extensions data is set to false, the CA MUST ignore this attribute.

  • ValidityPeriod:Weeks\nValidityPeriodUnits:3

    • Processing: If the Config_CA_Accept_Request_Attributes_ValidityTime data is set to true and the ExpirationDate attribute is not present, the CA MUST set the notAfter field of the issued certificate equal to the value of the notBefore field plus the value of the ValidityPeriod.<72> In this sample, the client requests a validity period of three weeks. If the Config_CA_Accept_Request_Attributes_ValidityTime datum is set to false, the CA MUST ignore this attribute.

  • ExpirationDate:Tue, 21 Nov 2000 01:06:53 GMT

    • Processing: If the Config_CA_Accept_Request_Attributes_ValidityTime data is set to true, the CA MUST set the notAfter field of the issued certificate to this value and MUST ignore the ValidityPeriod.<73> If the Config_CA_Accept_Request_Attributes_ValidityTime data is set to false, the CA MUST ignore this attribute.

  • certfile:c:\mycert.cer

    • Processing: If the Config_CA_Accept_Request_Attributes_CertPath data is set to true, the CA MAY<74> publish the issued certificate to the path that is specified in this attribute. If the Config_CA_Accept_Request_Attributes_CertPath datum is set to false, the CA MUST ignore this attribute.

  • CertType:server

    • Processing: If this attribute is present and the value is "server", the CA MUST add an extension 2.16.840.1.113730.1.1 with a bit string value of 0x01100000 (SSL server). If this attribute is present and the value is not "server", the CA MUST add an extension 2.16.840.1.113730.1.1 by using a bit string value of 0x01000000 (SSL client). If the request is a KEYGEN request and this attribute is not present, the CA MUST add an extension 2.16.840.1.113730.1.1 by using a bit string value of 0x01000000 (SSL client). The Netscape KEYGEN Tag Format is specified in section 2.2.2.6.4.

  • Other:...

    • Processing: If the Config_CA_Accept_Request_Attributes_Other data is set to true and the request is a KEYGEN type, the CA MUST process the string to construct the subject name based on the rdn attribute, as specified in section 3.2.1.4.2.1.4.1.4. Otherwise, the CA MUST ignore this attribute.