2.2.9.3.2 ISSUER
The ISSUER element of issuing certificates identifies the issuer of the certificate and MUST use the following template. The contents are generally copied from the principal in the ISSUEDPRINCIPALS element of the issuer's certificates.
-
<ISSUER> <OBJECT type="[[- objecttype -]]"> <ID type="[[- idtype -]]"> [[- id -]] </ID> [[- name -]] </OBJECT> [[- publickey -]] [[- cps -]] </ISSUER>
[[- objecttype -]]: MUST contain the literal string found in the following table, specifying the type of the issuer. This string SHOULD be considered case-sensitive by both the client and the server.
-
Certificate
Literal string
MS-DRM-Server
Enrollment Service certificate
DRM-Certificate-Authority
Enrollment CA certificate
DRM-Certificate-Authority
Version 1 security processor CA certificate
DRM-Certificate-Authority
SPC issuer certificate
DRM-Desktop-Security-Processor-Certificate-Authority
Security processor CA certificate
DRM-Certificate-Authority
Intermediate security processor CA certificate
DRM-Certificate-Authority
CA certificate
DRM-Certificate-Authority
[[- idtype -]]: MUST contain the literal string found in the following table, specifying the type of identifier used to identify the issuer.
-
Certificate
Literal string
SLC
MS-GUID
Enrollment Service certificate
ascii-tag
Enrollment CA certificate
ascii-tag
Version 1 security processor CA certificate
ascii-tag
SPC issuer certificate
MS-GUID
Security processor CA certificate
ascii-tag
Intermediate security processor CA certificate
ascii-tag
CA certificate
ascii-tag
[[- id -]]: MUST contain the value or literal string from the following tables, identifying the issuer. The [[- GUID -]] placeholder is defined immediately following the two tables.
-
This table is for RMS servers in the production hierarchy.
-
Certificate
Literal string
SLC
[[- GUID -]]
Enrollment Service certificate
Microsoft DRM Production Server Enrollment CA
Enrollment CA certificate
Microsoft DRM Production CA
Version 1 security processor CA certificate
Microsoft DRM Production Machine Activation Server CA
SPC issuer certificate
[[- GUID -]]
Security processor CA certificate
Microsoft DRM Production Machine Activation Server CA
Intermediate security processor CA certificate
Microsoft DRM Production CA
CA certificate
Microsoft DRM Production Root
-
This table is for RMS servers in the pre-production hierarchy:
-
Certificate
Literal string
SLC
[[- GUID -]]
Enrollment Service certificate
Microsoft DRM ISV Server Enrollment CA
Enrollment CA certificate
Microsoft DRM ISV CA
Version 1 security processor CA certificate
Microsoft DRM ISV Machine Activation Server CA
SPC issuer certificate
[[- GUID -]]
Security processor CA certificate
Microsoft DRM ISV Machine Activation Server CA
Intermediate security processor CA certificate
Microsoft DRM ISV CA
CA certificate
Microsoft DRM ISV Root
[[- GUID -]]: A unique GUID that identifies the issuer of the certificate, represented as a literal ASCII string enclosed in braces. MUST be taken from the object of the principal of the ISSUEDPRINCIPALS of the issuer's certificate.
[[- name -]]: SHOULD be a name element containing the literal string from the following tables, specifying a name for the issuer.
-
This table is for RMS servers in the production hierarchy:
-
Certificate
Literal string
SLC
Microsoft DRM Server Enrollment Service
Enrollment Service certificate
Microsoft DRM Production Server Enrollment CA
Enrollment CA certificate
Microsoft DRM Production CA
Version 1 security processor CA certificate
Microsoft DRM Production Machine Activation Server CA
SPC issuer certificate
Microsoft DRM Production Machine Activation Desktop Security Processor CA
Security processor CA certificate
Microsoft DRM Production Machine Activation Server CA
Intermediate security processor CA certificate
Microsoft DRM Production CA
CA certificate
Microsoft DRM Production Root
-
If the RMS server has been self-enrolled, the name element's value for the SLC MUST be "Microsoft DRM Server Self Enrollment Service".
-
This table is for RMS servers in the pre-production hierarchy:
-
Certificate
Literal string
SLC
Microsoft DRM ISV Server Enrollment Service
Enrollment Service certificate
Microsoft DRM ISV Server Enrollment CA
Enrollment CA certificate
Microsoft DRM ISV CA
Version 1 security processor CA certificate
Microsoft DRM ISV Machine Activation Server CA
SPC issuer certificate
Microsoft DRM ISV Machine Activation Desktop Security Processor CA
Security processor CA certificate
Microsoft DRM ISV Machine Activation Server CA
Intermediate security processor CA certificate
Microsoft DRM ISV CA
CA certificate
Microsoft DRM ISV Root
[[- publickey -]]: MUST be a PUBLICKEY element that contains the issuer's public key. Exponent MUST be set to 65537. Modulus MUST contain the modulus of the issuer's public key. Size MUST be specified in bits and MUST follow this table.
-
Certificate
Literal string
SLC
1024 or 2048
Enrollment Service certificate
1024 or 2048
Enrollment CA certificate
2048
Version 1 security processor CA certificate
1024
SPC issuer certificate
1024 or 2048
Security processor CA certificate
1024 or 2048
Intermediate security processor CA certificate
2048
CA certificate
2048
[[- cps -]]: SHOULD be found in the SLC but MUST NOT be found in any other certificates. The SLC SHOULD contain a SECURITYLEVEL element with the name "Certificate Practice Statement" and value of a URL pointing to a certificate practice statement.