[MS-WCCE]: Windows Client Certificate Enrollment Protocol

  • Article
  • 6 minutes to read

This topic lists the Errata found in [MS-WCCE] since it was last published. Since this topic is updated frequently, we recommend that you subscribe to these RSS or Atom feeds to receive update notifications.

Errata are subject to the same terms as the Open Specifications documentation referenced.

RSS

Atom

To view a PDF file of the errata for the previous versions of this document, see the following ERRATA Archives:

October 16, 2015 - Download

June 30, 2015 - Download

July 18, 2016 - Download

September 29, 2020 – Download

October 6, 2021 - Download

Errata below are for Protocol Document Version V47.0 – 2021/10/06.

Errata Published*

Description

2022/05/10

Section 2.2.2.7.7.4 szOID_NTDS_CA_SECURITY_EXT

Description: "Created new topic to define the szOID_NTDS_CA_SECURITY_EXT security extension for enhanced security protections. Also added operating system applicability [MSFT-CVE-2022-26931] for this security update."

Changed From:

""

Changed To:

"OID = 1.3.6.1.4.1.311.25.2.

Internal Name: szOID_NTDS_CA_SECURITY_EXT11.

Description: Contains objectSid of the Active Directory object whose information is being used to construct the subject information of an issued certificate. The CA MUST consider this extension from request attributes only when the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set on the corresponding certificate template object. See section 3.2.2.6.2.1.4.5.9 for specifics on how the CA processes this extension. This extension value MUST be DER-encoded ([X690]). The critical field for this extension SHOULD be set to FALSE.

szOID_NTDS_OBJECTSID: 1.3.6.1.4.1.311.25.2.1.

Format: The following is the ASN.1 format ([X690]) for this attribute.

OtherName ::= SEQUENCE {

type-id szOID_NTDS_OBJECTSID,

value    octet string}

11This security extension is supported by the operating systems specified in [MSFT-CVE-2022-26931], each with its related KB article download installed."

Section 2.3   Directory Service Schema Elements

Description: Added 'objectSid' descriptor to the Computer class and User class lists in the Class/Attribute table.

Changed From:

"Computer   cn

distinguishedName

dNSHostName

objectGuid

Changed To:

"Computer   cn

distinguishedName

dNSHostName

objectGuid

objectSid

Changed From:

"User   cn

distinguishedName

objectGuid

mail

userCertificate

userPrincipalName"

Changed To:

"User   cn

distinguishedName

objectGuid

objectSid

mail

userCertificate

userPrincipalName"

Section 3.2.2.1.2.1 Search Requests

Description: "Added the attribute 'objectSid' to the list of attributes that the CA should use for an LDAP SearchRequest message."

Changed From:

● mail

● objectGUID

● userPrincipalName

Changed To:

● mail

● objectGUID

● objectSid

● userPrincipalName

Section 3.2.2.1.3.1 Search Requests

Description: Added the attribute 'objectSid' to the list of attributes that the CA should use for an LDAP SearchRequest message.

Changed From:

● mail

● objectGUID

● userPrincipalName

Changed To:

● mail

● objectGUID

● objectSid

● userPrincipalName

Section 3.2.2.6.2.1.4.5.9 msPKI-Certificate-Name-Flag

Description: "Enhanced the processing instructions to specify that the CA must add the new szOID_NTDS_CA_SECURITY_EXT security extension to the issued certificate when the CT_FLAG_NO_SECURITY_EXTENSION flag is not set; and to do the same when the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set and CT_FLAG_NO_SECURITY_EXTENSION is not set."

Changed From:

"4. If CT_FLAG_SUBJECT_REQUIRE_EMAIL is set, the CA MUST set the Subject field of the issued certificate (1) as a DN (1) whose E component value is obtained from the value of the mail attribute (1) of the requestor's user object in the working directory (1). For this, the CA MUST invoke the processing rules in section 3.2.2.1.2 with input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name (1) and retrieve the mailattribute (1)​ from the returned EndEntityAttributes output parameter."

Changed To:

"4. If CT_FLAG_SUBJECT_REQUIRE_EMAIL is set, the CA MUST set the Subject field of the issued certificate (1) as a DN (1) whose E component value is obtained from the value of the mail attribute (1) of the requestor's user object in the working directory (1). For this, the CA MUST invoke the processing rules in section 3.2.2.1.2 with input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name (1) and retrieve the mail attribute (1) from the returned EndEntityAttributes output parameter.

5. If the CT_FLAG_NO_SECURITY_EXTENSION flag is not set, the CA MUST add the szOID_NTDS_CA_SECURITY_EXT security extension, as specified in section 2.2.2.7.7.4, to the issued certificate with the value set to the string format of the objectSid attribute obtained from the requestor’s user object in the working directory. For this, the CA MUST invoke the processing rules in section 3.2.2.1.2, with input parameter EndEntityDistinguishedName set equal to the requester's user object distinguished name, and retrieve the objectSid attribute from the returned EndEntityAttributes output parameter."

Changed From:

"3. If CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set, then the CA MUST use the subject and subject alternative name information provided in the certificate (1) request. If no subject name is provided in the request, the CA MUST reject the request."

Changed To:

"3. If CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set, then the CA MUST use the subject and subject alternative name information provided in the certificate (1) request. If no subject name is provided in the request, the CA MUST reject the request.

4. If CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set and CT_FLAG_NO_SECURITY_EXTENSION is not set, then the CA MUST add the szOID_NTDS_CA_SECURITY_EXT security extension (section 2.2.2.7.7.4) to the issued certificate, that is, if it is provided as an extension in the request."

2022/05/10

In Section 3.2.2.6.2.1.4.5.6 msPKI-Enrollment-Flag

Description: Updated client processing instructions to indicate that the CA MUST also enforce the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag when the conditions specified in new section 3.2.2.6.2.1.4.8 are met.

Also revised client processing instructions to specify the conditions under which the subject alternative name (SAN) extension MUST be added to the new certificate being issued.

Changed From:

Flag

Client processing

0x00000040  CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT

The CA MUST enforce this flag only for certificate renewal requests.

If this flag is set in the template:

● The CA MUST NOT enforce the  signature processing rules specified for the following attributes:  msPKI-RA-Signature, msPKI-RA-Policies, and msPKI-Application-Policy.

● The CA MUST ignore the  CT_FLAG_PEND_ALL_REQUESTS flag.

Changed To:

Flag

Client processing

0x00000040  CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT

The CA MUST enforce this flag only for certificate renewal requests and  only when the conditions specified in section 3.2.2.6.2.1.4.8 are met.

If this flag is set in the template:

● The CA MUST NOT enforce the  signature processing rules specified for the following attributes:  msPKI-RA-Signature, msPKI-RA-Policies, and msPKI-Application-Policy.

● The CA MUST ignore the  CT_FLAG_PEND_ALL_REQUESTS flag.

● If the  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set and the old certificate, based on  which reenrollment is occurring, contains the subject alternative name (SAN)  extension, then the same SAN extension MUST be added to the new certificate  being issued.

In Section 3.2.2.6.2.1.4.8 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT Enforcement Conditions

Description: Created new topic to specify the conditions that are required to be met before enforcing the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag, that is, if the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag is set in the template.

Changed From:

""

Changed To:

"If the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag is set in the template, the CA MUST verify that all the following conditions are satisfied before enforcing the CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag:

● The old certificate, based on which the reenrollment is occurring, MUST contain the Certificate Template OID extension, as specified in section 2.2.2.7.7.2.

● The TemplateID from the old certificate MUST match the TemplateID of the current template.

● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set, then the CA MUST verify that subject name is supplied in the request, and that it matches with the subject of the old certificate.

● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set, then the old certificate MUST contain the subject alternative name (SubjectAltName) extension.

● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set, then the SubjectAltName extension from the old certificate MUST contain either an rfc822Name or otherName with OID szOID_NT_PRINCIPAL_NAME (1.3.6.1.4.1.311.20.2.3).

● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set and the SubjectAltName contains otherName, then the value of otherName MUST match the value of the userPrincipalName attribute from the requestor's user object in the working directory.

● If the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is not set, and the SubjectAltName contains the rfc822Name, then the value of rfc822Name MUST match the value of the mail attribute from the requestor's user object in the working directory."

*Date format: YYYY/MM/DD