The CertificateIdentifierelement describes an X.509 v3 Certificate. The Certificatecan be provided explicitly within the element or the element can specify the location of the CertificateStorethat contains the Certificate. The elements contained in a CertificateIdentifierare described in Table E.2.

Table E.2– CertificateIdentifier






The type of CertificateStore that contains the Certificate.

Predefined values are "Windows" and "Directory".

If not specified, the RawData element shall be specified.



The path to the CertificateStore.

The syntax depends on the StoreType.

If not specified, the RawData element shall be specified.



The SubjectName for the Certificate.

The Common Name (CN) component of the SubjectName.

The SubjectName represented as a string that complies with Section 3 of RFC 4514.

Values that do not contain '=' characters are presumed to be the Common Name component.



The CertificateDigestfor the Certificateformatted as a hexadecimal string.

Case is not significant.



The DER encoded Certificate.

The CertificateIdentifier is invalid if the information in the DER Certificateconflicts with the information specified in other fields. Import utilities shall reject configurations containing invalid Certificates.

This field shall not be specified if the StoreType and StorePath are specified.



The options to use when validating the Certificate. The possible options are described in E.6.



A CertificateRevocation List (CRL) associated with an Issuer Certificate.

The format of a CRL is defined by RFC 3280.

This field is only meaningful for Issuer Certificates.



A URL for an Online Revocation List associated with an Issuer Certificate.

This field is only meaningful for Issuer Certificates.

A "Windows" StoreType specifies a Windows Certificatestore.

The syntax of the StorePath has the form:

[\\HostName\]StoreLocation[\(ServiceName | UserSid)]\StoreName


HostName – the name of the machine where the store resides.

StoreLocation – one of LocalMachine, CurrentUser, User or Service

ServiceName – the name of a Windows Service.

UserSid – the SID for a Windows user account.

StoreName – the name of the store (e.g. My, Root, Trust, CA, etc.).

Examples of Windows StorePaths are:



\\MYPC\Service\My UA Server\UA applications


A "Directory" StoreType specifies a directory on disk which contains files with DER encoded Certificates. The name of the file is the CertificateDigestfor the Certificate. Only public keys may be placed in a "Directory" Store. The StorePath is an absolute file system path with a syntax that depends on the operating system.

If a "Directory" store contains a ‘certs’ subdirectory, then it is presumed to be a structured store with the subdirectories described in Table E.3.

Table E.3– Structured directory store




Contains the DER encoded X.509 v3 Certificates.

The files shall have a .der file extension.


Contains the private keys.

The format of the file may be application specific.

PEM encoded files should have a .pem extension.

PKCS#12 encoded files should have a .pfx extension.

The root file name shall be the same as the corresponding public key file in the certs directory.


Contains the DER encoded CRL for any CA Certificates found in the certs or ca directories.

The files shall have a .crl file extension.

Each Certificateis uniquely identified by its Thumbprint. The SubjectName or the distinguished SubjectName may be used to identify a Certificateto a human; however, they are not unique. The SubjectName may be specified in conjunction with the Thumbprint or the RawData. If there is an inconsistency between the information provided, then the CertificateIdentifieris invalid. Invalid CertificateIdentifiersare handled differently depending on where they are used.

It is recommended that the SubjectName always be specified.

A Certificaterevocation list (CRL) contains a list of certificates issued by a CA that are no longer trusted. These lists should be checked before an application can trust a Certificateissued by a trusted CA. The format of a CRL is defined by RFC 3280.

Offline CRLs are placed in a local Certificatestore with the Issuer Certificate. Online CRLs may exist but the protocol depends on the system. An online CRL is identified by a URL.