3.2.2.6.2.1.4.5.6 msPKI-Enrollment-Flag

The following processing rules are applied to flags in this attribute.

Flag

Client processing

0x00000001 CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS

The CA MUST include an S/MIME extension, as specified in [RFC4262], in the issued certificate.

0x00000002 CT_FLAG_PEND_ALL_REQUESTS

If this flag is included in the template, the CA MUST return a pending state response for the certificate request and require a CA manager to approve the request before issuing the certificate.

0x00000004 CT_FLAG_PUBLISH_TO_KRA_CONTAINER

If this flag is included in the template, the CA MUST publish the certificate to the userCertificate attribute of an object of the class msPKI-Private-Key-Recovery-Agent stored in the "CN=KRA, CN=Public Key Services,CN=Services, CN=Configuration" container in the working directory by invoking the processing rules in section 3.2.2.1.4 with input parameter IssuedCertificate set equal to the issued certificate. The CN of that object MUST be equal to the sanitized short name of the CA. The algorithm for sanitizing names is described in section 3.1.1.4.1.1.

0x00000008 CT_FLAG_PUBLISH_TO_DS

If this flag is included in the template, the CA MUST append the issued certificate to the userCertificate attribute, as specified in [RFC4523], of the user object in the working directory by invoking the processing rules in section 3.2.2.1.5 with input parameter IssuedCertificate set equal to the issued certificate and input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name.

0x00000040 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT

The CA MUST enforce this flag only for certificate renewal requests and only when the conditions specified in section 3.2.2.6.2.1.4.8 are met.

If this flag is set in the template:

  • The CA MUST NOT enforce the signature processing rules specified for the following attributes: msPKI-RA-Signature, msPKI-RA-Policies, and msPKI-Application-Policy.

  • The CA MUST ignore the CT_FLAG_PEND_ALL_REQUESTS flag.

  • If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set and the old certificate, based on which reenrollment is occurring, contains the subject alternative name (SAN) extension, then the same SAN extension MUST be added to the new certificate being issued.

0x00001000 CT_FLAG_ADD_OCSP_NOCHECK

If this flag is set and the following are all true:

  • The CA implements Config_CA_No_OCSP_Revocation_Check datum and it is set to true or the CA doesn't implement this datum.

  • Certificate template's msPKI-Certificate-Application-Policy attribute contains the OID szOID_PKIX_KP_OCSP_SIGNING (1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning).

The CA SHOULD NOT include the OIDs szOID_AUTHORITY_INFO_ACCESS (1.3.6.1.5.5.7.1.1, id-pe-authorityInfoAccess) and szOID_CRL_DIST_POINTS (2.5.29.31, id-ce-cRLDistributionPoints) extensions and SHOULD add a NULL value extension with the OID szOID_PKIX_OCSP_NOCHECK (1.3.6.1.5.5.7.48.1.5, id-pkix-ocsp-nocheck) to the issued certificate.<119>

0x00004000

CT_FLAG_NOREVOCATIONINFOINISSUEDCERTS

If this flag is set the CA SHOULD NOT include entries from the Config_CA_OCSP_Include_In_Cert list in the OID szOID_AUTHORITY_INFO_ACCESS (1.3.6.1.5.5.7.1.1, id-pe-authorityInfoAccess) extension of the issued certificate and SHOULD NOT include the OID szOID_CRL_DIST_POINTS (2.5.29.31, id-ce-cRLDistributionPoints) extension in the issued certificate.<120>

0x00008000

CT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS

If this flag is set, the CA SHOULD add a Basic Constraints extension (as specified in [RFC3280] section 4.2.1.10) to the certificate and set the cA field to FALSE. The CA SHOULD NOT include the pathLenConstraint field in the Basic Constraints extension.<121>

0x00010000

CT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLMENT

The CA MUST enforce this flag only for certificate renewal requests when the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT and CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flags are also set. If this flag is set on the template, the CA SHOULD NOT enforce the processing rules specified in section 3.2.2.6.2.1.4.3.<122>

0x00020000

CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST

If this flag is set the CA SHOULD apply special processing rules to the msPKI-Certificate-Policy attribute as specified in section 3.2.2.6.2.1.4.5.8.<123>