CertSrvPolicyModuleFlags Enumeration

Defines default policy module flags.

This enumeration has a FlagsAttribute attribute that allows a bitwise combination of its member values.

Definition

Namespace: SysadminsLV.PKI.Management.CertificateServices
Assembly: SysadminsLV.PKI.Win (in SysadminsLV.PKI.Win.dll) Version: 4.0.1.0 (4.0.1.0)
C#
[FlagsAttribute]
public enum CertSrvPolicyModuleFlags

Remarks

Not all CA versions support full list.

Members

None0 
EnableRequestExtensions1 Enables 'Enabled Request Extensions' list processing.

This flag is not enabled by default.

RequestExtensionList2 N/A

This flag is enabled by default on both Standalone and Enterprise CAs.

DisableExtensionList4 Enables 'Disabled Request Extensions' list processing. If the flag is enabled and certificate request contains one or more extemsions from this list, extensions will be discarded.

This flag is enabled by default on both Standalone and Enterprise CAs.

AddOldKeyUsage8 N/A

This flag is enabled by default on both Standalone and Enterprise CAs.

AddOldCertType16 N/A

This flag is not enabled by default.

AttributeEndDate32 Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity.

Note: EndDate value cannot exceed ValidityPeriod and ValidityPeriodUnits settings.

This flag is enabled by default on Standalone CAs.

BasicConstraintsCritical64 Marks Basic Constraints extension as critical.

This flag is enabled by default on both Standalone and Enterprise CAs.

BasicConstraintsCA128 Enables Basic Constraints extension for CA certificates.

This flag is enabled by default on Standalone CAs.

EnableAKIKeyID256 Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension.

This flag is enabled by default on both Standalone and Enterprise CAs.

AttributeCA512 N/A

This flag is enabled on Standalone CAs.

IgnoreRequestGroup1,024 N/A

This flag is not enabled by default.

EnableAKIIssuerName2,048 Enables issuer name value to appear in Authority Key Identifier (AKI) extension.

This flag is not enabled by default.

EnableAKIIssuerSerial4,096 Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension.

This flag is not enabled by default.

EnableAKICritical8,192 Marks Authority Key Identifier (AKI) extension as critical.

This flag is not enabled by default.

ServerUpgraded16,384 N/A

This flag is not enabled by default.

AttributeEKU32,768 Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request).

This flag is enabled by default on Standalone CAs.

EnableDefaultSMIME65,536 N/A

This flag is enabled by default on Enterprise CAs.

EmailOptional131,072 N/A

This flag is not enabled by default.

AttributeSubjectAlternativeName262,144 Enables Subject Alternative Name (SAN) extensions passing as unauthenticated request attribute (rather than including SAN extension as authenticated extension in the request).

Note: Do not enable this flag on Enterprise CAs. Instead, inclue SAN extension directly in the request.

This flag is not enabled by default.

EnableLDAPReferrals524,288 Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios.

This flag is necessary only for Cross-Forest Enrollment scenarios.

This flag is not enabled by default.

EnableChaseClientDC1,048,576 N/A

This flag is enabled by default on Enterprise CAs.

AuditCertTemplateLoad2,097,152 Enables template list load from Active Directory audit.

This flag is not enabled by default.

DisableOldOSCNUPN4,194,304 N/A

This flag is not enabled by default.

DisableLDAPPackageList8,388,608 N/A

This flag is not enabled by default.

EnableUPNMap16,777,216 N/A

This flag is not enabled by default.

EnableOCSPRevNoCheck33,554,432 Enables id-pkix-ocsp-nocheck extension in the request.

Windows Server 2003: this flag is not supported.

This flag is not enabled by default.

EnableRenewOnBehalfOf67,108,864 Enables certificate renewel on behalf of other user or computer.

Windows Server 2003, Windows Server 2008: this flag is not supported.

This flag is not enabled by default.

See Also