Processing Rules for ICertAdminD

The ICertAdminD interface provides an application programming interface for a client<16> to manage a certificate authority.

The ICertAdminD interface inherits the IUnknown interface.

The version number for IUnknown is 1.0. The universally unique identifier (UUID) for the ICertAdminD interface is "d99e6e71-fc88-11d0-b498-00a0c90312f3". Method opnum field values start with 3; opnum values 0 through 2 represent the IUnknown methods: QueryInterface, AddRef, and Release methods, respectively, as specified in [MS-DCOM].

Methods in RPC Opnum Order




The SetExtension method allows adding, modifying, or disabling extensions, as specified in [RFC3280]; a CA can include an extension in an issued certificate for a particular pending request.

Opnum: 3


The SetAttributes method sets attributes in the specified pending certificate request.

Opnum: 4


The ResubmitRequest method resubmits a specific pending or denied certificate request to the CA.

Opnum: 5


The DenyRequest method denies a specific certificate request that is pending.

Opnum: 6


The IsValidCertificate method verifies the certificate against the CA key and checks that the certificate has not been revoked.

Opnum: 7


The PublishCRL method sends a request to the CA server to publish a new CRL, as specified in [RFC3280] section 5.

Opnum: 8


The GetCRL method retrieves the current CRL for the CA server.

Opnum: 9


The RevokeCertificate method revokes a certificate either immediately or on a specified date.

Opnum: 10


The EnumViewColumn method returns an array of column information.

Opnum: 11


The GetViewDefaultColumnSet method returns an array of the column set identifiers associated with a specific view.

Opnum: 12


The EnumAttributesOrExtensions method is used to access sets of attributes or extensions for a particular row ID.

Opnum: 13


The OpenView method opens a view into the database and returns a set of resultant rows data.

Opnum: 14


The EnumView method returns a set of resultant rows data for the opened view.

Opnum: 15


The CloseView method closes a view previously opened with the OpenView method call.

Opnum: 16


The ServerControl method is used to force the CA server to unregister the ICertAdminD and ICertAdminD2 interfaces.

Opnum: 17


The Ping method is used to test whether the Certificate server is alive.

Opnum: 18


The GetServerState method is used to validate "Read".

Opnum: 19


The BackupPrepare method is used to prepare the database for performing further backup operations.

Opnum: 20


The BackupEnd method completes the backup process started via a call to ICertAdminD::BackupPrepare.

Opnum: 21


The BackupGetAttachmentInformation method is used to query the CA for the names of database files that are to become part of the backup file set.

Opnum: 22


The BackupGetBackupLogs method queries the CA for the names of database transaction log files that are to become part of the backup file set.

Opnum: 23


The BackupOpenFile method opens a file for backup.

Opnum: 24


The BackupReadFile method reads the database file and loads the content into the buffer provided.

Opnum: 25


The BackupCloseFile method closes the database file that was initialized by a prior call to BackupOpenFile.

Opnum: 26


The BackupTruncateLogs method function eliminates redundant records from the log files and reduces the disk storage space used by log files.

Opnum: 27


The ImportCertificate method imports a certificate into the CA database.

Opnum: 28


The BackupGetDynamicFiles method retrieves the list of CA dynamic file names that need to be backed up.

Opnum: 29


The RestoreGetDatabaseLocation method retrieves the list of CA server database location names for all the database files being restored.

Opnum: 30

All methods MUST NOT throw exceptions.

The CA MUST execute the following processing rules for each invocation of each of the methods listed below in this section. Then the CA MUST proceed to execute the processing rules listed for each individual method below.

The CA MUST obtain the SID in the RPC_SID form of the caller from the value of the element uToken.Sids[uToken.UserIndex]. The ADM element uToken is initialized by retrieving the identity token for the current execution context by calling the abstract interface GetRpcImpersonationAccessToken() as specified in [MS-RPCE] section The value of the uToken.Sids array element indexed at uToken.UserIndex is the SID of the caller. If the caller cannot be identified (uToken.Sids[uToken.UserIndex] is NULL), the CA MUST refuse to establish a connection, returning an error.<17>

If Config_CA_Interface_Flags contains the value IF_ENFORCEENCRYPTICERTADMIN and the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level, as defined in [MS-RPCE] section, is not specified on the RPC connection from the client, the CA MUST refuse to establish a connection with the client by returning an error.<18>

If Config_CA_Interface_Flags contains the value IF_NOREMOTEICERTADMIN, the CA SHOULD return an error for any of the methods listed in this section.<19>