[MS-WCCE]: Windows Client Certificate Enrollment Protocol
This topic lists the Errata found in [MS-WCCE] since it was last published. Since this topic is updated frequently, we recommend that you subscribe to these RSS or Atom feeds to receive update notifications. Errata are subject to the same terms as the Open Specifications documentation referenced. |
|
---|
To view a PDF file of the errata for the previous versions of this document, see the following ERRATA Archives:
October 16, 2015 - Download
June 30, 2015 - Download
July 18, 2016 - Download
September 29, 2020 – Download
October 6, 2021 - Download
Errata below are for Protocol Document Version V47.0 – 2021/10/06.
Errata Published* |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
2022/05/10 |
Section 2.2.2.7.7.4 szOID_NTDS_CA_SECURITY_EXT
Description: "Created new topic to define the szOID_NTDS_CA_SECURITY_EXT security extension for enhanced security protections. Also added operating system applicability [MSFT-CVE-2022-26931] for this security update."
Changed From: ""
Changed To: "OID = 1.3.6.1.4.1.311.25.2. Internal Name: szOID_NTDS_CA_SECURITY_EXT11. Description: Contains objectSid of the Active Directory object whose information is being used to construct the subject information of an issued certificate. The CA MUST consider this extension from request attributes only when the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set on the corresponding certificate template object. See section 3.2.2.6.2.1.4.5.9 for specifics on how the CA processes this extension. This extension value MUST be DER-encoded ([X690]). The critical field for this extension SHOULD be set to FALSE. szOID_NTDS_OBJECTSID: 1.3.6.1.4.1.311.25.2.1. Format: The following is the ASN.1 format ([X690]) for this attribute. OtherName ::= SEQUENCE {
type-id szOID_NTDS_OBJECTSID,
value octet string} 11This security extension is supported by the operating systems specified in [MSFT-CVE-2022-26931], each with its related KB article download installed."
Section 2.3 Directory Service Schema Elements
Description: Added 'objectSid' descriptor to the Computer class and User class lists in the Class/Attribute table.
Changed From:
"Computer cn
distinguishedName
dNSHostName
objectGuid
Changed To:
"Computer cn
distinguishedName
dNSHostName
objectGuid
objectSid
Changed From:
"User cn
distinguishedName
objectGuid
userCertificate
userPrincipalName"
Changed To:
"User cn
distinguishedName
objectGuid
objectSid
userCertificate userPrincipalName"
Section 3.2.2.1.2.1 Search Requests
Description: "Added the attribute 'objectSid' to the list of attributes that the CA should use for an LDAP SearchRequest message."
Changed From:
● objectGUID ● userPrincipalName
Changed To:
● objectGUID ● objectSid ● userPrincipalName
Section 3.2.2.1.3.1 Search Requests
Description: Added the attribute 'objectSid' to the list of attributes that the CA should use for an LDAP SearchRequest message.
Changed From:
● objectGUID ● userPrincipalName Changed To:
● objectGUID ● objectSid ● userPrincipalName
Section 3.2.2.6.2.1.4.5.9 msPKI-Certificate-Name-Flag
Description: "Enhanced the processing instructions to specify that the CA must add the new szOID_NTDS_CA_SECURITY_EXT security extension to the issued certificate when the CT_FLAG_NO_SECURITY_EXTENSION flag is not set; and to do the same when the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set and CT_FLAG_NO_SECURITY_EXTENSION is not set."
Changed From:
"4. If CT_FLAG_SUBJECT_REQUIRE_EMAIL is set, the CA MUST set the Subject field of the issued certificate (1) as a DN (1) whose E component value is obtained from the value of the mail attribute (1) of the requestor's user object in the working directory (1). For this, the CA MUST invoke the processing rules in section 3.2.2.1.2 with input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name (1) and retrieve the mailattribute (1) from the returned EndEntityAttributes output parameter."
Changed To:
"4. If CT_FLAG_SUBJECT_REQUIRE_EMAIL is set, the CA MUST set the Subject field of the issued certificate (1) as a DN (1) whose E component value is obtained from the value of the mail attribute (1) of the requestor's user object in the working directory (1). For this, the CA MUST invoke the processing rules in section 3.2.2.1.2 with input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name (1) and retrieve the mail attribute (1) from the returned EndEntityAttributes output parameter.
5. If the CT_FLAG_NO_SECURITY_EXTENSION flag is not set, the CA MUST add the szOID_NTDS_CA_SECURITY_EXT security extension, as specified in section 2.2.2.7.7.4, to the issued certificate with the value set to the string format of the objectSid attribute obtained from the requestor’s user object in the working directory. For this, the CA MUST invoke the processing rules in section 3.2.2.1.2, with input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name, and retrieve the objectSid attribute from the returned EndEntityAttributes output parameter."
Changed From:
"3. If CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set, then the CA MUST use the subject and subject alternative name information provided in the certificate (1) request. If no subject name is provided in the request, the CA MUST reject the request."
Changed To:
"3. If CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set, then the CA MUST use the subject and subject alternative name information provided in the certificate (1) request. If no subject name is provided in the request, the CA MUST reject the request.
4. If CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set and CT_FLAG_NO_SECURITY_EXTENSION is not set, then the CA MUST add the szOID_NTDS_CA_SECURITY_EXT security extension (section 2.2.2.7.7.4) to the issued certificate, that is, if it is provided as an extension in the request." |
||||||||
2022/05/10 |
In Section 3.2.2.6.2.1.4.5.6 msPKI-Enrollment-Flag
Description: Updated client processing instructions to indicate that the CA MUST also enforce the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag when the conditions specified in new section 3.2.2.6.2.1.4.8 are met. Also revised client processing instructions to specify the conditions under which the subject alternative name (SAN) extension MUST be added to the new certificate being issued.
Changed From:
If this flag is set in the template: ● The CA MUST NOT enforce the signature processing rules specified for the following attributes: msPKI-RA-Signature, msPKI-RA-Policies, and msPKI-Application-Policy. ● The CA MUST ignore the CT_FLAG_PEND_ALL_REQUESTS flag.
Changed To:
If this flag is set in the template: ● The CA MUST NOT enforce the signature processing rules specified for the following attributes: msPKI-RA-Signature, msPKI-RA-Policies, and msPKI-Application-Policy. ● The CA MUST ignore the CT_FLAG_PEND_ALL_REQUESTS flag. ● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set and the old certificate, based on which reenrollment is occurring, contains the subject alternative name (SAN) extension, then the same SAN extension MUST be added to the new certificate being issued.
In Section 3.2.2.6.2.1.4.8 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT Enforcement Conditions Description: Created new topic to specify the conditions that are required to be met before enforcing the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag, that is, if the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag is set in the template.
Changed From: ""
Changed To: "If the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag is set in the template, the CA MUST verify that all the following conditions are satisfied before enforcing the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag: ● The old certificate, based on which the reenrollment is occurring, MUST contain the Certificate Template OID extension, as specified in section 2.2.2.7.7.2. ● The TemplateID from the old certificate MUST match the TemplateID of the current template. ● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set, then the CA MUST verify that subject name is supplied in the request, and that it matches with the subject of the old certificate. ● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set, then the old certificate MUST contain the subject alternative name (SubjectAltName) extension. ● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set, then the SubjectAltName extension from the old certificate MUST contain either an rfc822Name or otherName with OID szOID_NT_PRINCIPAL_NAME (1.3.6.1.4.1.311.20.2.3). ● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set and the SubjectAltName contains otherName, then the value of otherName MUST match the value of the userPrincipalName attribute from the requestor's user object in the working directory. ● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set, and the SubjectAltName contains the rfc822Name, then the value of rfc822Name MUST match the value of the mail attribute from the requestor's user object in the working directory." |
*Date format: YYYY/MM/DD