3.1.6.1.1.9 mSMQSignCertificates and mSMQDigests

The PublicSigningKeyList attribute is stored in two attributes on the computer object. The mSMQSignCertificates ([MS-ADA2] section 2.587) attribute contains an MQUSERSIGNCERTS ([MS-MQMQ] section 2.2.21) structure, which contains MQUSERSIGNCERT ([MS-MQMQ] section 2.2.22) structures, which in turn contain individual X.509-encoded certificates. The mSMQDigests ([MS-ADA2] section 2.554) attribute contains an array of MD5 hashes of the certificates stored in the mSMQSignCertificates attribute, mirroring the values of the Digest fields of the MQUSERSIGNCERT structures. Each array element MUST contain the 16-byte output of the MD5 algorithm, as specified in [RFC1321]. The certificates and digests MUST be in the same order, but there is no other sorting requirement.

The values of mSMQSignCertificates and mSMQDigests MUST be computed according to the following algorithm:

If the PublicSigningKeyList ADM attribute name is present in iAttributeList and iDirectoryObject.PublicSigningKeyList is populated:

• Copy the bytes in iDirectoryObject.PublicSigningKeyList, which is an MQUSERSIGNCERTS structure, to mSMQSignCertificates.

• For each MQUSERSIGNCERT structure in mSMQSignCertificates:

  • Append the bytes of the Digest field in the structure to mSMQDigests.

The attributes mSMQSignCertificatesMig ([MS-ADA2] section 2.588) and mSMQDigestsMig ([MS-ADA2] section 2.555) MAY<9> be set to the values of mSMQSignCertificates and mSMQDigests, respectively.