[Version] Signature= "$Windows NT$" ; =========================================================== ; Request Attributes ; top level section ; =========================================================== [RequestAttributes] AttributeName1 = AttributeValue1 AttributeName2 = AttributeValue2 ; =========================================================== ; NameConstraintsExcluded Name Constraints Extension ; szOID_NAME_CONSTRAINTS 2.5.29.30 ; top level section ; =========================================================== [NameConstraintsExtension] Include = NameConstraintsPermitted Exclude = NameConstraintsExcluded Critical = FaLse [NameConstraintsPermitted] ; list of user defined permitted DNS names ; the numeric second and third arguments are optional ; when present, the second argument is the minimum depth ; when present, the third argument is the maximum depth ; NOTE: Crypto APIs fail to process cert chains when the minimum or maximum ; depth is specified! DNS = foo@domain.com DNS = domain1.domain.com email=me@you.com UPN=user@domain.com ; the first is an IP address, the second is an IP address mask IPADDRESS=255.255.18.172,255.255.255.0 ipaddress=::255.255.18.172,::255.255.255.0 ipaddress=1234:5678:9abc:def0:3210:7654:ba98:fedc,1234:5678:9abc:def0:3210:7654:ba98:fedc ipaddress=::5678:9abc:def0:3210:7654:ba98:fedc,1234:5678:9abc:def0:3210:7654:ba98:fedc ipaddress=1234::def0:3210:7654:ba98:fedc,1234:5678:9abc:def0:3210:7654:ba98:fedc ipaddress=1234:5678:9abc:def0:3210:7654:ba98::,1234:5678:9abc:def0:3210:7654:ba98:fedc ipaddress=1234:5678:9abc:def0:3210:7654::,1234:5678:9abc:def0:3210:7654:ba98:fedc OtherName=1.2.3.4.99.100,{utf8}ssss OtherName=1.2.3.4.99.101,{octet}ABCD OtherName=1.2.3.4.99.102,"{asn}BAgAAQIDBAUGBw==" OtherName=1.2.3.4.99.108 RegisteredId=1.2.3.4.5.6.7.8.999 url=http://localhost/certsrv/default.html url=file://\\localhost\certsrv\default.html DIRECTORYNAME = "cn=mycn,ou=myou,s=mystate,c=us" [NameConstraintsExcluded] ; list of user defined excluded DNS names DNS = domain.com IPADDRESS=255.255.18.172,255.255.255.0 IPADDRESS=1.2.3.4,255.254.253.0 ; =========================================================== ; Policy (CPS) Extension ; szOID_CERT_POLICIES 2.5.29.32 ; top level section ; =========================================================== [PolicyStatementExtension] ; list of user defined policies Policies = LegalPolicy, LimitedUsePolicy, ExtraPolicy, OIDPolicy CRITICAL = FALSE [LegalPolicy] ; each policy has one OID, and zero or more Notice and URL keys OID = 1.3.6.1.4.1.311.21.43 ; Stay away from the maximum line length of about 512 characters, ; including the "Notice = " ; Notice text may be continued as needed: Notice = "Legal" _continue_ = " policy" _continue_ = " statement" _continue_ = " text." [LimitedUsePolicy] OID = 1.3.6.1.4.1.311.21.47 URL = "http://http.site.com/some where/default.asp" URL = "ftp://ftp.site.com/some where else/default.asp" Notice = "Limited use policy statement text." URL = "ldap://ldap.site.com/some where else again/default.asp" [ExtraPolicy] OID = 1.3.6.1.4.1.311.21.53 URL = http://extra.site.com/Extra Policy/default.asp [oidpolicy] OID = 1.3.6.1.4.1.311.21.55 ; =========================================================== ; Policy Mapping Extension ; szOID_POLICY_MAPPINGS 2.5.29.33 ; top level section ; =========================================================== [PolicyMappingsExtension] ; list of user defined policy mappings ; first OID is Issuer Domain Policy OID, second is Subject Domain Policy OID ; each entry maps one foreign policy OID to local 1.3.6.1.4.1.311.21.53 = 1.2.3.4.87 1.3.6.1.4.1.311.21.54 = 1.2.3.4.89 critical = nO ; =========================================================== ; Policy Constraints Extension ; szOID_POLICY_CONSTRAINTS 2.5.29.36 ; top level section ; =========================================================== [PolicyConstraintsExtension] ; consists of two optional DWORDs ; They refer to the depth of the CA hierarchy that requires explicit policy ; and inhibits Policy Mapping RequireExplicitPolicy = 3 InhibitPolicyMapping = 5 ; =========================================================== ; Application Policy (CPS) Extension ; szOID_APPLICATION_CERT_POLICIES 1.3.6.1.4.1.311.21.10 ; top level section ; =========================================================== [ApplicationPolicyStatementExtension] ; list of user defined policies Policies = AppLegalPolicy, AppLimitedUsePolicy, AppExtraPolicy, AppOIDPolicy CRITICAL = FALSE [AppLegalPolicy] ; each policy has one OID, and zero or more Notice and URL keys OID = 1.3.6.1.4.1.311.21.54 Notice = "Application Legal policy statement text" [AppLimitedUsePolicy] OID = 1.3.6.1.4.1.311.21.58 URL = "http://http.site.com/application some where/default.asp" URL = "ftp://ftp.site.com/application some where else/default.asp" Notice = "Application Limited use policy statement text." URL = "ldap://ldap.site.com/application some where else again/default.asp" [AppExtraPolicy] OID = 1.3.6.1.4.1.311.21.64 URL = http://extra.site.com/Application Extra Policy/default.asp [Appoidpolicy] OID = 1.3.6.1.4.1.311.21.66 ; =========================================================== ; Application Policy Mapping Extension ; szOID_APPLICATION_POLICY_MAPPINGS 1.3.6.1.4.1.311.21.11 ; top level section ; =========================================================== [ApplicationPolicyMappingsExtension] ; list of user defined application policy mappings ; first OID is Issuer Domain Policy OID, second is Subject Domain Policy OID ; each entry maps one foreign policy OID to local 1.3.6.1.4.1.311.21.64 = 1.2.3.4.98 1.3.6.1.4.1.311.21.65 = 1.2.3.4.100 critical = 0 ; =========================================================== ; Application Policy Constraints Extension ; szOID_APPLICATION_POLICY_CONSTRAINTS 1.3.6.1.4.1.311.21.12 ; top level section ; =========================================================== [ApplicationPolicyConstraintsExtension] ; consists of two optional DWORDs ; They refer to the depth of the CA hierarchy that requires explicit policy ; and inhibits Policy Mapping RequireExplicitPolicy = 6 InhibitPolicyMapping = 10 ; =========================================================== ; Basic Constraints Extension ; szOID_BASIC_CONSTRAINTS2 2.5.29.19 ; top level section ; =========================================================== [BasicConstraintsExtension] ; Subject Type is not supported always set to CA ; maximum subordinate CA path length PathLength = 3 [EnhancedKeyUsageExtension] ;OID = 1.3.6.1.4.1.311.21.6 ; szOID_KP_KEY_RECOVERY_AGENT ;OID = 1.3.6.1.4.1.311.10.3.9 ; szOID_ROOT_LIST_SIGNER ;OID = 1.3.6.1.4.1.311.10.3.1 ; szOID_KP_CTL_USAGE_SIGNING ; The following match the [ApplicationPolicyStatementExtension] section: OID = 1.3.6.1.4.1.311.21.54 OID = 1.3.6.1.4.1.311.21.58 OID = 1.3.6.1.4.1.311.21.64 OID = 1.3.6.1.4.1.311.21.66 CriticAL = faLSe ; =========================================================== ; Cross Certificate Distribution Points Extension ; szOID_CROSS_CERT_DIST_POINTS 1.3.6.1.4.1.311.10.9.1 ; top level section ; =========================================================== [CrossCertificateDistributionPointsExtension] SyncDeltaTime = 24 URL = http://%1/Public/My CA.crt URL = ftp://foo.com/Public/MyCA.crt URL = file://\\%1\Public\My CA.crt CriticAL = falSe