The CertificateIdentifier element describes an X.509 v3 Certificate. The Certificate can be provided explicitly within the element or the element can specify the location of the CertificateStore that contains the Certificate. The elements contained in a CertificateIdentifier are described in Table E.2.
Table E.2 – CertificateIdentifier
|StoreType||String||The type of CertificateStore that contains the Certificate. Predefined values are “Windows” and “Directory”.If not specified, the RawData element is specified.|
|StorePath||String||The path to the CertificateStore. The syntax depends on the StoreType. If not specified, the RawData element is specified.|
|SubjectName||String||The SubjectName for the Certificate. The Common Name (CN) component of the SubjectName. The SubjectName represented as a string that complies with Section 3 of RFC 4514. Values that do not contain ‘=’ characters are presumed to be the Common Name component.|
|Thumbprint||String||The CertificateDigest for the Certificate formatted as a hexadecimal string.Case is not significant.|
|RawData||ByteString||The DER encoded Certificate. The CertificateIdentifier is invalid if the information in the DER Certificate conflicts with the information specified in other fields. Import utilities reject configurations containing invalid Certificates.This field is not specified if the StoreType and StorePath are specified.|
|ValidationOptions||Int32||The options to use when validating the Certificate. The possible options are described in E.6.|
|OfflineRevocationList||ByteString||A Certificate Revocation List (CRL) associated with an Issuer Certificate. The format of a CRL is defined by RFC 5280.This field is only meaningful for Issuer Certificates.|
|OnlineRevocationList||String||A URL for an Online Revocation List associated with an Issuer Certificate. This field is only meaningful for Issuer Certificates.|
A “Windows” StoreType specifies a Windows Certificate store.
The syntax of the StorePath has the form:
\[\\\\HostName\\\]StoreLocation\[\\(ServiceName | UserSid)\]\\StoreName
HostName – the name of the machine where the store resides. StoreLocation – one of LocalMachine, CurrentUser, User or Service ServiceName – the name of a Windows Service. UserSid – the SID for a Windows user account. StoreName – the name of the store (e.g. My, Root, Trust, CA, etc.).
Examples of Windows StorePaths are:
\\\\MYPC\\LocalMachine\\My \\CurrentUser\\Trust \\\\MYPC\\Service\\My UA *Server*\\UA applications \\User\\S-1-5-25\\Root
A “Directory” StoreType specifies a directory on disk which contains files with DER encoded Certificates. The name of the file is the CertificateDigest for the Certificate. Only public keys may be placed in a “Directory” Store. The StorePath is an absolute file system path with a syntax that depends on the operating system.
If a “Directory” store contains a ‘certs’ subdirectory, then it is presumed to be a structured store with the subdirectories described in Table E.3.
Table E.3 – Structured directory store
|certs||Contains the DER encoded X.509 v3 Certificates.The files have a .der file extension.|
|private||Contains the private keys. The format of the file may be application specific. PEM encoded files should have a .pem extension. PKCS#12 encoded files should have a .pfx extension.The root file name is the same as the corresponding public key file in the certs directory.|
|crl||Contains the DER encoded CRL for any CA Certificates found in the certs or ca directories. The files have a .crl file extension.|
Each Certificate is uniquely identified by its Thumbprint. The SubjectName or the distinguished SubjectName may be used to identify a Certificate to a human; however, they are not unique. The SubjectName may be specified in conjunction with the Thumbprint or the RawData. If there is an inconsistency between the information provided, then the CertificateIdentifier is invalid. Invalid CertificateIdentifiers are handled differently depending on where they are used.
It is recommended that the SubjectName always be specified.
A Certificate revocation list (CRL) contains a list of certificates issued by a CA that are no longer trusted. These lists should be checked before an application can trust a Certificate issued by a trusted CA. The format of a CRL is defined by RFC 5280.
Offline CRLs are placed in a local Certificate store with the Issuer Certificate. Online CRLs may exist but the protocol depends on the system. An online CRL is identified by a URL.