[MS-CRTD]: Certificate Templates Structure

  • Article

This topic lists Errata found in [MS-CRTD] since it was last published. Since this topic is updated frequently, we recommend that you subscribe to this RSS feed to receive update notifications.

Errata are subject to the same terms as the Open Specifications documentation referenced.

RSS

To view a PDF file of the errata for the previous versions of this document, see the following ERRATA Archives:

April 7, 2021 - Download

Errata below are for Protocol Document Version V26.0 – 2021/06/25.

Errata Published*

Description

2022/06/28

In Section 2.4 flags Attribute:

Description: "Updated the value of the CT_FLAG_DONOTPERSISTINDB flag from 0x00000400 to 0x00001000."

Changed from:

"0x00000400

CT_FLAG_DONOTPERSISTINDB

This flag indicates that the record of a certificate (1) request for a certificate (1) that is issued need not be persisted by the CA."

Changed to:

"0x00001000

CT_FLAG_DONOTPERSISTINDB

This flag indicates that the record of a certificate (1) request for a certificate (1) that is issued need not be persisted by the CA.

2022/06/14

In Section 2.4 flags Attribute:

Description: "Updated the value of the CT_FLAG_DONOTPERSISTINDB flag from 0x00000400 to 0x00001000."

Changed from:

"0x00000400

CT_FLAG_DONOTPERSISTINDB

This flag indicates that the record of a certificate (1) request for a certificate (1) that is issued need not be persisted by the CA."

Changed to:

"0x00001000

CT_FLAG_DONOTPERSISTINDB

This flag indicates that the record of a certificate (1) request for a certificate (1) that is issued need not be persisted by the CA."

2022/05/10

Section 2.26 msPKI-Enrollment-Flag Attribute

Description: "Added the CT_FLAG_NO_SECURITY_EXTENSION (0x00080000) enrollment flag that instructs the CA to not include security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2) in the issued certificate. Also added operating system applicability [MSFT-CVE-2022-26931] for this security update."

Changed From:

Flag

Meaning

0x00040000

CT_FLAG_SKIP_AUTO_RENEWAL

This flag indicates that the certificate should not be auto-renewed, although it has a valid template.

Changed To:

Flag

Meaning

0x00040000

CT_FLAG_SKIP_AUTO_RENEWAL

This flag indicates that the certificate  should not be auto-renewed, although it has a valid template.

0x00080000

CT_FLAG_NO_SECURITY_EXTENSION

This flag34 instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate.

34 This flag is supported by the operating systems specified in [MSFT-CVE-2022-26931], each with its related KB article download installed.

2021/07/27

In Section 2.27 msPKI-Private-Key-Flag Attribute, replaced normative reference [PKCS12] with [RFC7292].

Changed from:

Flag



Meaning

0x00000010

CT_FLAG_EXPORTABLE_KEY

This flag instructs the client to allow other applications to copy the private key to a .pfx file, as specified in [PKCS12], at a later time.

Changed to:

Flag



Meaning

0x00000010

CT_FLAG_EXPORTABLE_KEY

This flag instructs the client to allow other applications to copy the private key to a .pfx file, as specified in [RFC7292], at a later time.

*Date format: YYYY/MM/DD