Annex E (normative) Security settings management ToC Previous Next

E.3 CertificateIdentifier ToC Previous Next

The CertificateIdentifier element describes an X.509 v3 Certificate. The Certificate can be provided explicitly within the element or the element can specify the location of the CertificateStore that contains the Certificate. The elements contained in a CertificateIdentifier are described in Table E.2.

Table E.2 – CertificateIdentifier

Element Type Description
StoreType String The type of CertificateStore that contains the Certificate.
Predefined values are “Windows” and “Directory”.
If not specified, the RawData element shall be specified.
StorePath String The path to the CertificateStore.
The syntax depends on the StoreType.
If not specified, the RawData element shall be specified.
SubjectName String The SubjectName for the Certificate.
The Common Name (CN) component of the SubjectName.
The SubjectName represented as a string that complies with Section 3 of RFC 4514.
Values that do not contain ‘=’ characters are presumed to be the Common Name component.
Thumbprint String The CertificateDigest for the Certificate formatted as a hexadecimal string.
Case is not significant.
RawData ByteString The DER encoded Certificate.
The CertificateIdentifier is invalid if the information in the DER Certificate conflicts with the information specified in other fields. Import utilities shall reject configurations containing invalid Certificates.
This field shall not be specified if the StoreType and StorePath are specified.
ValidationOptions Int32 The options to use when validating the Certificate. The possible options are described in E.6.
OfflineRevocationList ByteString A Certificate Revocation List (CRL) associated with an Issuer Certificate.
The format of a CRL is defined by RFC 3280.
This field is only meaningful for Issuer Certificates.
OnlineRevocationList String A URL for an Online Revocation List associated with an Issuer Certificate.
This field is only meaningful for Issuer Certificates.

A “Windows” StoreType specifies a Windows Certificate store.

The syntax of the StorePath has the form:

\[\\\\HostName\\\]StoreLocation\[\\(ServiceName | UserSid)\]\\StoreName

where:

HostName – the name of the machine where the store resides.

StoreLocation – one of LocalMachine, CurrentUser, User or Service

ServiceName – the name of a Windows Service.

UserSid – the SID for a Windows user account.

StoreName – the name of the store (e.g. My, Root, Trust, CA, etc.).

Examples of Windows StorePaths are:

\\\\MYPC\\LocalMachine\\My

\\CurrentUser\\Trust

\\\\MYPC\\Service\\My UA *Server*\\UA applications

\\User\\S-1-5-25\\Root

A “Directory” StoreType specifies a directory on disk which contains files with DER encoded Certificates. The name of the file is the CertificateDigest for the Certificate. Only public keys may be placed in a “Directory” Store. The StorePath is an absolute file system path with a syntax that depends on the operating system.

If a “Directory” store contains a ‘certs’ subdirectory, then it is presumed to be a structured store with the subdirectories described in Table E.3.

Table E.3 – Structured directory store

Subdirectory Description
certs Contains the DER encoded X.509 v3 Certificates.
The files shall have a .der file extension.
private Contains the private keys.
The format of the file may be application specific.
PEM encoded files should have a .pem extension.
PKCS#12 encoded files should have a .pfx extension.
The root file name shall be the same as the corresponding public key file in the certs directory.
crl Contains the DER encoded CRL for any CA Certificates found in the certs or ca directories.
The files shall have a .crl file extension.

Each Certificate is uniquely identified by its Thumbprint. The SubjectName or the distinguished SubjectName may be used to identify a Certificate to a human; however, they are not unique. The SubjectName may be specified in conjunction with the Thumbprint or the RawData. If there is an inconsistency between the information provided, then the CertificateIdentifier is invalid. Invalid CertificateIdentifiers are handled differently depending on where they are used.

It is recommended that the SubjectName always be specified.

A Certificate revocation list (CRL) contains a list of certificates issued by a CA that are no longer trusted. These lists should be checked before an application can trust a Certificate issued by a trusted CA. The format of a CRL is defined by RFC 3280.

Offline CRLs are placed in a local Certificate store with the Issuer Certificate. Online CRLs may exist but the protocol depends on the system. An online CRL is identified by a URL.

Previous Next