keyon / true-Xtender Policy Module V2.3.3 User Guide
Contents
1. scsecsecsecsscsececsecseses CMEROW sasvnsiecssiconchesiennensssinsneanieaeneniinreraiioey OVUM VCE st ccc are cia loeaeeiouiaienane cinta Data Lookup Tabs aan nnn AASQUENY acer meer ere ever Mrere ee rere et rer er en rmr anny Text Transformation Tags OUND DCI tits cx cetacateterncrutnentarecneecsrecciedneneress ESEN E iptONeEXString xsiicudtaadincthentindnediensnatinadtogts UU ilo ce ays cot dg eee net earner base64tohexstring ASN 1 Basic Types CD SELIG wistiveteenteradvvadteatiuntarsticntaratevednitentes character string types date string types bitSthNE wccer ccc eusieuaceridcenastadee cnuticdenuentieddvendedes alae G14 de E sars sree erp eee rrr Teen e DOOIE es rarirrr recep cre WOE sas cassdnscansnsceindusuihiannnuntancncnensaaninabenicn enumerated ccc ccceeescscessssceceessssessesnees true Xtender User Guide true Xtender keyon User Guide SS UT SINC E E shad shied dexuuaed bandamnsuantuanneautsaniteaincasiabinisaads 107 Bcc aga cacti A E 108 SVDICIE Sele tnkdcinethandandcnadhandana cheater a sieaa 109 ASN Tea W DGG ashe sascasasnstacasasstessastetesceieesnacestedeqaessadessanteescnidetaces sodaqaessenensaseenssadenes 110 Urnsupported ASN 1 Ty PCS vcxscsnccassnestssuneasessbesnee steaeteseteauvenenaunutuntueunnieereaaaets 111 Using a custom extension definition to enforce subject name requirements 111 Using a custom extension definition to enforce subjectAltName extension POOUIREMICOS2. 0 bytes 2 My Computer C Program Files trueXtender backup 20070307 _204934 Ele Edt Yiew Favorites Tools Help ay O Back P P Search gt Folders i gt gt X 19 m Address C Program Filesttruextender bsckup 20070307_204934 MISE Size Type Date Modified Registry i File Folder 07 03 2007 20 49 B restore vbs 3KB VBScript Script File 06 03 2007 23 04 2 objects 2 26 KB 2 My Computer Restore the selected backup by double clicking the restore vbs script After the backup is restored the following dialog is shown to remind you to restart Microsoft Certificate Services to activate the restored configuration Windows Script Host xj trueXtender configuration restored Please restart certificate services Restoring a backup will overwrite the current true Xtender configuration and restore all custom extension files that are contained in the backup Note that the custom extension files are restored to their original location thereby overwriting any present files 15 true Xtender keyon User Guide Configuration Using true Xtender configuration application Start the true Xtender configuration by selecting Start All Programs true Xtender Configure true Xtender fa Notepad te and Support Snaglt 8 o Windows Catalog 4 Windows Update IT Accessories Administrative Tools I Snag 8 E Startup Q true xtender Wind
3. 17 true Xtender User Guide Select the Policy Module tab in the properties dialog shown to view the currently active policy module Demo Standalone Root Properties Select Properties to open the true Xtender configuration Standalone CA Enterprise CA ikeyon true Xtender Properties Administrator Root Certification Authority Trust List Signing Authenticated Session Code Signing Cross Certification Authority Directory Email Replication Domain Controller Domain Controller Authentication Basic EFS EFS Recovery Agent Enrollment Agent Exchange Enrollment Agent Offline request Exchange User Exchange Signature Only IPSec Offline request IPSec Key Recovery Agent Conneu ihe Add edt Remove 18 true Xtender keyon User Guide Template Processing Template Processing Delegate Policy Configuration License About The Template Processing tab shows the available certificate templates and if a specific certificate template is configured for processing by true Xtender keyon true Xtender Properties xj Template Processing Delegate Policy Configuration License About Certificate Template Administrator Root Certification Authority CA Exchange CEP Encryption Trust List Signing Authenticated Session Code Signing Cross Certification Authority Directory Email Replication Domain Controller Domain Controller Authentication Basi
4. Standard to dump and convert X 509 certificates http www opensslorg documents are useful when specifying X 509 certificates and extensions Internet X 509 Public Key Infrastructure Certificate and Certificate Revocation List CRL Profile http www ietf org rfc rfc3280 txt ITU T X 690 SERIES X DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS OSI networking and system aspects Abstract Syntax Notation One ASN 1 Information technology ASN 1 encoding rules Specification of Basic Encoding Rules BER Canonical Encoding Rules CER and Distinguished Encoding Rules DER http www itu int ITU T studygroups com1 7 languages X 690 0207 pdf ASN 1 Communication between heterogeneous systems by Olivier Dubuisson http asn1 elibel tm fr en book http www oss com asn1 booksintro htm 128 keyon ASN 3 REGEXP 1 REGEXP 2 REGEXP 3 ADS 1 ADS 2 RFC2254 MS WCCE Links true Xtender User Guide ASN 1 Complete by Prof John Larmouth http www oss com asn1 larmouth html Explanation of regular expressions http en wikipedia org wiki Regular expression Tutorial for regular expressions as supported by true Xtender http www regexlab com en regref htm Library of regular expressions http regexlib com LDAP ADsPath specification http msdn microsoft com en us library aa746384 28v VS 85 29 aspx LDAP Search Filter Syntax http msdn microsoft
5. Microsoft PKI keyon true Xtender Policy Module V2 3 3 User Guide V1 1 December 2014 true Xtender User Guide Copyright 2014 by keyon AG All rights reserved No part of the contents of this manual may be reproduced or transmitted in any form or by any means without the written permission of the publisher Trademark Notice keyon is a registered trademark of keyon AG in Switzerland and or other countries Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and or other countries Other product and company names mentioned herein may be the trademarks of their respective owners true Xtender keyon User Guide Table of contents PVE TWN iscsi ceuiccse rece svstecqin SAREE ESE EE eNe EENE SANE E eonaeuatinncenanunsabesdpalesialinwadoxseigaeiunnsenens 8 What it is the keyon true Xtender csccssssccsssscessceseeseessessesssccessessesseeseessessescessens 8 PRY EAE E E cn sve E A E E 8 Request processing with true Xtender sessssssssssessesesseesesesssssessesseseesesseseesenseneesseseesesess 9 NEUSE AM AUAONY succes cecevsstersecsilanadecaicacstanensdusieanantaciabaniede taandleaneitav acanasuutaciatinadauneunsiceiansinadananmuticsaaecies 10 Configure Certificate Services for Keyon true Xtender sssesssessseseseesessesesssssesses 11 BACKUP and PESOS siiiestsccoussactinnnsavisnenticctneniendvonrteiotaevcaenni oem aun inrer aN
6. O Make sure that the name of the temporary variable specified with define is unique and does not overwrite any other existing variable 61 true Xtender User Guide Samples Samples lt define name dnsNamesVar gt lt requestattribute name dnsNames gt lt define gt lt sequence includeempty false gt lt foreach name dnsNamesVar delimiters define myDnsName gt lt ia5string tag 2 gt lt insert name myDnsName gt lt ia5string gt lt foreach gt lt sequence gt This construct would create a sequence of dNSName entries for a SubjectAltName extension by tokenizing the delimited contents of the dnsNames request attribute 62 true Xtender User Guide foreachrequestrdn Tag Tag name Enclosed content foreachrequestrdn Only enclosed tags are allowed For each RDN matching the given OID in the request DN a temporary variable with the RDN content is defined and the enclosed tags are evaluated Parameters Tag parameter Presence Description oid mandatory The OID identifying the RDN elements to enumerate If no RDN with the given OID is present the enclosed tags are not evaluated See requestrdn for a list of OIDs for the most common RDN elements define mandatory The name of the temporary variable to define with the RDN content This variable is only available to the enclosed tags reverse optional If true reverses the order in which the RDNs are found in the re
7. PortNumber DistinguishedName GC HostName PortNumber DistinguishedName Note The left and right bracket characters indicate optional parameters it is not a literal part of the binding string The protocol LDAP GC string is case sensitive The HostName can be a computer name an IP address or a domain name A server name can also be specified in the binding string The PortNumber specifies the port to be used for the connection The default port number is 389 if not using an SSL connection or 636 if using an SSL connection The DistinguishedName specifies the distinguished name of a specific object A distinguished name for a given object is guaranteed to be unique The following table gives some examples of binding strings LDAP ADsPath example Description GC keyon ch Bind to a Global Catalog server in the domain keyon ch LDAP keyon ch Bind to an Active Directory server in the domain keyon ch LDAP server01 390 Bind to a specific server using the specified port number LDAP CN users DC keyon DC ch Bind to a specific object LDAP server01 CN users DC keyon DC ch Bind to a specific object through a specific server 89 keyon true Xtender User Guide Not all attributes are available in the Global Catalog Please check the Microsoft Software Developers Network MSDN for details which attributes are available in the Global Catalog and which are only available
8. RDN parts of the original request request attributes and fixed parts to build the intended subject RDN elements xi Custom X 509 Extensions Allowed Xx 509 Extensions Certificate Template Info Subject DN Building Subject DN no entries Subject DN given in the request is used Ordered RDN Components de ch Up de keyon cn lt RequestRDN 2 5 4 3 1 gt i Remove Enter a new RDN and click Insert to add it to the list Insert You can use the following statements for variable replacements in the RDN lt RequestAttribute name gt RDN OID Lookup lt RequestRDN aid element gt If you do not specify any RDN elements the subject DN from the original request will be used 27 true Xtender keyon User Guide Directory Information Tree RDNs and Distinguished Names The directory information tree DIT provides a way to refer to the data stored in a X 500 or LDAP directory O freecerts OU sales CN John Doe CN www keyon ch CN John Doe A distinguished name DN is the string representation of an entry s name and location in a directory A DN describes a path to exactly one directory entry and is made up of a number of components called relative distinguished names RDNs Each RDN identifies a specific entry in the directory The highlighted path in the DIT shown above is described by the following DN which is made up of the three RDNs C O and CN C CH O keyon CN www keyon ch N
9. Subject DN Building Certificate Template Info The Certificate Template Info tab shows the template names and allows enabling or disabling the processing by the keyon true Xtender for this certificate template xi Custom X 509 Extensions Allowed x 509 Extensions Certificate Template Info Subject DN Building Internal Template Name SmartcardLagon Template Display Name Smartcard Logon Template OID 1 3 6 1 4 1 311 21 8 16421240 10186861 5128606 2397624 4817905 46 If you want true Xtender to alter all certificates requests for this template enable the processing by checking the box below If the box is not Cancel Apply The Internal Template Name is the certificate template specification to use when creating the certificate request while the Template Display Name is the friendly name shown in the Certificate Services management console Enabling or disabling processing of this template Select Process certificate requests for this template if you want to modify the issued certificates with the keyon true Xtender If this checkbox is not selected certificate requests for the certificate template are not processed by true Xtender 26 true Xtender keyon User Guide Subject DN Building CustomX 509 Extensions Certificate Template Info Subject DN Building gt The Subject DN Building tab allows customizing the DN of the issued certificate The resulting DN may use relative distinguished name
10. com en us library aa746475 28v VS 85 29 aspx The String Representation of LDAP Search Filters http www ietf org rfc rfc2254 txt Windows Client Certificate Enrollment Protocol Specification http msdn microsoft com en us library cc249879 28v prot 13 29 aspx OID repositories http www alvestrand no objectid top html http asn1 elibel tm fr oid index htm 129
11. current locale Year without century as decimal number 00 99 Year with century as decimal number Z Time zone name or abbreviation no characters if time zone is unknown E g the format string lt d m 3Y H M S will create a date string like 18 01 2007 23 00 00 For the ASN 1 GeneralizedTime tag the format to use would be SYsmsdsHsM SZ For the ASN 1 UTCTime tag the format to use would be SysmsasHSMsSZ Parameters Tag parameter Presence Description offset optional A positive or negative offset in seconds that is added to the current time before formatting the date round optional If defined the time in with optional added offset is rounded to the next multiple of round If round is e g 60 the seconds part of the inserted date will always be 0 If offset is set to 3600 and round set to 3600 the date string will contain the latest full hour before the current date Samples Samples lt generalizedtime gt lt timenow gt lt generalizedtime gt lt ia5string gt lt timenow offset 31536000 gt d m SY H 3M S lt timenow gt lt ia5string gt 84 true Xtender User Guide timenowutc Tag Tag name Enclosed content timenowutc Text or tags that insert text which form a date format No enclosed ASN 1 tags are allowed The current time in UTC is formatted according to the enclosed format If the tag is enclosed in an ASN 1 utctime or generalizedtime tag the correct d
12. exception will be thrown if the Active Directory Services is not available the binding information is incorrect or the search filter is invalid If not results are found matching the filter not exception is thrown and an empty string is inserted into the enclosing tag You can use the define and ifnot tags to detect this condition To define the contents for placeholders in the search filter you can either define variables before using adsquery or add placeholder tags to the adsquery tag If a placeholder tag is used a local variable is defined that is only visible in the scope of the adsquery tag Sub Tag Tag name Enclosed content placeholder Only string contents and tags that insert string contents are allowed No enclosed ASN 1 tags are allowed Insert the contents into the placeholder in the search filter Whitespace at the beginning and end of the contents is removed 88 true Xtender User Guide Parameters Tag parameter Presence Description name mandatory The name of the placeholder in the search filter which will be replaced by the contents Q If the contents of a placeholder tag evaluate to an empty string a variable with the same name is inserted instead if defined If a placeholder in the search filter cannot be replaced with a non empty string an exception will be thrown Binding strings The LDAP ADsPath see ADS 1 requires the following format for the binding string LDAP HostName
13. man FY Select the requested RDN from the drop down list and it will be entered into the edit field RDN OID Lookup 25 4 3 CN 2 5 4 3 You can now select the OID part and use Ctrl C or right click Copy to copy the OID to the clipboard 33 keyon true Xtender User Guide Removing a RDN element In order to remove a RDN element select the element and click the Remove button Edit a RDN element You cannot currently edit RDN elements in the list If you like to change a RDN element remove the RDN element first and add the changed RDN element again Reorder RDN elements To reorder the RDN elements select the RDN element you d like to move and use the Up and Down buttons to change the position in the RDN order The order of RDNs is not completely defined by this dialog but by a registry setting of Certificate Services which affects all certificates issued as well The resulting subject DN will by default always use the following hierarchical order for RDN elements Country DomainComponent State Local Organi ILC Mavic Organi ZET on onalUnit CommonName Email The order within one hierarchy element e g DC can be defined with the keyon true Xtender however Note that other orders of the hierarchy would not make sense in most of the cases and would certainly not be X 500 compliant By editing the following registry entry it is possible to change thi
14. name Enclosed content utctime Only text or tags that insert text are permitted No generalizedtime enclosed ASN 1 tags are allowed Leading and trailing whitespace is removed Consult the ASN 1 reference manual for details on valid date strings Note that the special tags timenow and timenowutc can be used to insert a correctly formatted date string with the current system time You must ensure that the date string given represents a valid ASN 1 date string for the selected type If you enclose a timenow Or timenowutc tag a correct date string will be used Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt generalizedtime gt 20010101010203Z lt generalizedtime gt Generated ASN 1 representation GeneralizedTime 20010101010203Z lt utctime gt lt timenowutc gt lt utctime gt Inserts the current system time in UTC E g for January 18 2007 18 26 36 local time in Switzerland GMT 1 the following date would be inserted UTCTime 0701181726362 100 true Xtender User Guide bitstring Tag Tag name Enclosed content bitstring Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text must only contain 0 and 1 characters The order is least significant bit first Parameters Tag parameter Presence Descripti
15. person objectClass user gt lt placeholder name 1 gt lt requestattribute name logonName gt lt placeholder gt lt adsquery gt This will search a user record in the domain where the Certificate Services server is a member of with a sAMAccountName attribute value that is equal to the contents of the request attribute jogonName If exactly one user record is found the contents of the constructed distinguishedName attribute are inserted to the enclosing tag 91 true Xtender User Guide Text Transformation Tags toupper Tag Tag name Enclosed content toupper Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text will be converted to uppercase Parameters Tag parameter Presence Description Samples Samples lt toupper gt lt requestattribute name logonid gt lt toupper gt 92 true Xtender User Guide tolower Tag Tag name Enclosed content tolower Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text will be converted to lowercase Parameters Tag parameter Presence Description Samples Samples lt tolower gt lt requestattribute name email gt lt tolower gt 93 true Xtender User Guide reversedn Tag Tag name Enclosed content reversdn Only text or tags that insert text are permitted No enclosed ASN 1 tags are a
16. printable ASCII character excluding space x21 x7E Match any printable ASCII character excluding alnum Match any uppercase alpha character A Z Match any hex number 0 9 A F a f t Match any lowercase alpha character a z xdigit Hal Match space or tab x20 x09 Notes If is followed by it will invert the match All characters but the one in the set will match in this case If the match mode is SINGLELINE the dot can match any character including new line Custom defined character sets Custom character sets will match any of the characters defined using Use to define a negative set which will match any character not in the set Notes Special characters will lose their special meaning when part of a character set Standard character sets can be added into custom character sets For example d will match any of 0 9 and POSIX character set can be added into custom character sets set as well Use the minus character to define a range of characters to add to the set For example dA Fa f will match any of 0123456789 ABCDEF and abcdef Character sets are case sensitive even if IGNORECASE mode is used 122 true Xtender User Guide Repeat quantifiers Match another expression multiple times By default a quantified sub pattern is greedy i e it will match as many times as possible given a particular starting location while sti
17. requestattribute name ip gt lt iptohexstring gt lt octetstring gt Would insert a tagged octetstring with the binary representation of the IP address stored in the request attribute ip 10 20 30 40 gt OA141E28 FE80 0202 b3ff fele 8329 gt FE800000000000000202B3FFFE1E8329 95 true Xtender User Guide uuidtohexstring Tag Tag name Enclosed content uuidtohexstring Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text will be considered a UUID and the binary representation of the UUID is returned as a hex string e g for use inthe octetstring tag Parameters Tag parameter Presence Description XXXXXXXX XXXX XXXX XXXX XXXXXXXXXXXX o An exception is thrown if the expanded text is not a valid UUID of the form Note that the UUID may optionally be enclosed in Samples Samples lt explicit tag 0 gt lt objectid gt 1 3 6 1 4 1 311 25 1 lt objectid gt lt explicit tag 0 gt lt octetstring gt lt uuidtohexstring gt lt requestattribute name guid gt lt uuidtohexstring gt lt octetstring gt lt explicit gt lt explicit gt Would insert an otherName entry for a Domain Controller with the GUID stored in the request attribute guid 6F9EF915 B8 9A 48FB A696 0EF12E80588F4 gt 15F99ER6F9AB8FB4 8A6960E12E80588F4 96 true Xtender User Guide base64tohexstring Tag Tag name Enclosed content base64tohe
18. requestrdn for a list of OIDs for the most common RDN elements define mandatory The name of the temporary variable to define with the RDN content This variable is only available to the enclosed tags reverse optional If true reverses the order in which the RDNs are found in the request DN are passed to the enclosed tags If not defined or false RDNs are processed in the order they appear in the request DN Make sure that the name of the temporary variable specified with define is unique and does not overwrite any other existing variable 65 true Xtender User Guide Samples Samples lt foreachsubjectdn oid 2 5 4 3 define myCN gt lt ifnot name myCN match keyon test matchoptions IGNORECASE gt lt exception gt CommonName lt insert name myCN gt doesn t end in keyon test lt exception gt lt ifnot gt lt foreachsubjectrdn gt This construct would ensure that all CommonName entries in the request DN contain a fully qualified domain name ending in keyon test 66 true Xtender User Guide foreachsubjectaltname Tag Tag name Enclosed content foreachsubjectaltname Only enclosed tags are allowed For each element of the given type in the SubjectA tName a temporary variable with the entry content is defined and the enclosed tags are evaluated Parameters Tag parameter Presence Description mandatory The type of SubjectA tName eleme
19. true Xtender User Guide lt foreachsubjectaltname type ipAddress define mylIpAddress gt lt exception gt SubjectAltName may not contain ipAddress entries lt exception gt lt foreachsubjectaltname gt lt extension gt Using a custom extension definition to lookup data for the subject DN You can define a custom extension that is always empty and will never be included in the certificate for the sole purpose of looking up data in the Active Directory Sample The following configuration will never add an extension as no ASN 1 tags are present and onempty is set to remove It will however set a request attribute named userPrincipalName based on an Active Directory query with the sAMAccountName extracted from the request attribute name DOMAIN account The request attribute will be only valid during the processing of the request by true Xtender it can however be used for the subject DN building If the Active Directory lookup fails an exception will be thrown lt xml version 1 0 encoding ISO 8859 1 gt lt extension oid 1 3 6 1 4 1 15486 44322931 3 critical false onempty remove name AD Lookup of userPrincipalName gt lt define name sAMAccountName match 4 gt lt requestattribute name name ignorecase true gt lt define gt lt ifnot name sAMAccountName gt lt exception gt The sAMAccountName could not be determined from the request lt exceptio
20. use true Xtender to filter out this possibly unwanted extension 21 true Xtender keyon User Guide Pending Requests You can set the template to use for pending requests with the certutil utility certutil setattributes id StandaloneCertificateTemplate keyon You cannot set the CertificateTemplate request attribute using certutil when you have a standalone CA You must use the request attribute StandaloneCertificateTemplate instead to set the template to use for the keyon true Xtender Delegate Policy Configuration Template Procesfng Delegate Policy Configuration D nse About The Delegate Policy Configuration tab allows selecting and configuring the delegate policy module to use by the true Xtender during the request processing keyon true Xtender Properties xj Template Processing Delegate Policy Configuration License About You can configure the delegate policy module by clicking the Properties button Note that the configuration of the underlying policy module is only available when called within the Certificate Services properties Delegate policy module Name Windows default Description Specifies how to handle certificate requests for Enterprise and Stand alone CAs Version 2 3790 1830 Copyright Microsoft Corporation All rights reserved E Select After clicking Select the available policy modules on the system are listed and you can select the delegate p
21. 1 gt 128 lt integer gt Generated ASN 1 representation 1 128 dumpasn1 will show such an encoding as lt integer gt lt requestattribute name numberOfLicenses gt lt integer gt 104 true Xtender User Guide enumerated Tag Tag name Enclosed content enumerated Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text must be a positive integer in the range 0 2147483647 Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt enumerated gt 10 lt enumerated gt Generated ASN 1 representation ENUMERATED 10 lt enumerated tag 1 gt 20 lt enumerated gt Generated ASN 1 representation 1 20 dumpasn1 will show such an encoding as 20 14 lt enumerated gt lt requestattribute name option gt lt enumerated gt 105 true Xtender User Guide null Tag Tag name Enclosed content Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt null gt Generated ASN 1 representation NULL lt null tag 0 gt Generated ASN 1 representation 0 NULL dumpasn1 will show an error 0 Error Object has zero length 106 true Xtender User Guide ASN 1 Construct
22. 2 gt userl lt ia5string gt lt sequence gt lt set gt Generated ASN 1 representation SET SEQUENCE 1 IBM HOST PLATFORM 2 userl 108 true Xtender User Guide explicit Tag Tag name Enclosed content explicit Only enclosed ASN 1 tags of any type are allowed No text or tags that insert text are permitted Parameters Tag parameter Presence Description includeempty optional If set to true the explicit complex type will be included even if it does not contain any enclosed objects If set to false empty explicit complex types are not included Default behavior is to include empty explicit complex types This parameter is usually used when contents of an explicit complex type are added using conditional tags like if or ifnot Samples Samples lt explicit tag 0 gt lt explicit tag 0 gt lt iadstring tag 6 gt http www keyon ch cacrl crl lt ia5string gt lt explicit gt lt explicit gt Generated ASN 1 representation 109 true Xtender User Guide ASN 1 Raw Data This special tag allows including externally encoded ASN 1 data in a custom extension Enclosed content Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text must only contain 0 9 and A F characters representing the binary data in hex format of valid ASN 1 data Bytes may be separated with whitespace or the characte
23. It allows certificate content manipulation at a level that is otherwise not possible with Certificate Services alone Key Features Works with both Standalone CA and Enterprise CA types The functionality can be defined for each certificate template separately Retains the functionality of the original Certificate Services policy module including the special Enterprise functionality The subject distinguished name SubjectDN of the issued certificate can be set at will true Xtender allows e g to use the common name from the request but add static RDN elements for the directory information tree DIT that does not need to be available in the Active Directory This functionality also allows correcting the subject DN specified in PKCS 10 requests generated with 3 party software Remove unwanted X 509 certificate extensions the Certificate Services automatically adds to the certificate This is especially useful when certificates are issued for non Microsoft clients that are probably confused by the additional extensions Add custom extensions that can be defined using an XML based description language Custom extensions can contain dynamic data taken from the request and provide full control over the X 509 extension content The XML description language supports all ASN 1 constructs that are commonly used in X 509 extensions The Active Directory schema does not need to be changed for the keyon true Xtender Activities are reported in t
24. Jane Sample dc keyon 36 true Xtender User Guide Externally build DN Challenge The complete subject DN to use must be provided in a request attribute Request DN cn Jane Sample cn Users dc keyon dc ch Request attributes mydn cn John Doe o keyon c CH Ordered RDN Components lt RequestAttribute mydn gt Resulting Subject DN cn John Doe o keyon c CH 37 true Xtender User Guide Custom X 509 Extensions Subject DN Building Allowed X 509 Extensions lt CustomX 509 Extensions The Custom X 509 Extensions tab allows adding custom extensions to certificates Smartcard Logon Properties Exi Certificate Template Info Subject DN Building Custom 509 Extensions AlowedXx 509 Extensions Custom X 509 Extensions Extension DID Add Edit Remove Adding custom extensions Click on the Add button to select the XML file containing the custom extension description See Custom extensions definition language for a description of the XML contents Add custom X 509 extension template 2h x Look in jo trueXtender z ki gt Gly fe Sihostidmapping xml My Recent Documents Desktop nes rw My Documents PL My Computer ea UET File name hostidmapping xml hd Places Cancel Zi Files of type Custom X 509 Extension Template xml pe The extension is validated and if found ok the extension is added to t
25. KEYON YO All events logged by keyon true Xtender use true Xtender as the source and can thus be easily filtered out in the vent viewer Event Properties 19 01 2007 118 true Xtender User Guide Events IDs used The following table lists the events that can be logged 18 Type Description 1 Information keyon true Xtender loaded 2 Information keyon true Xtender unloaded 3 Error Unable to load certificate templates from Active Directory Please restart certificate services Unable to load Microsoft Certificate Policy COM object Changed DN from 1 to 2 based on configuration for template M 3 Error Microsoft policy module was unable to pre process the request n Windows error 1 n COM error info 2 n 7 lero lonabietogeecisio ccensenerboigr mt 1 COAN Template 1 not found in Active Directory Unable to process request 1 Error Unable to process request Microsoft Certificate Policy COM object not found Unable to add custom X 509 extension 1 Unable to build new DN 1 119 true Xtender User Guide Regular expressions The regular expression engine used by true Xtender supports a Perl compatible pattern syntax The basic patterns are thus the same as used by most regular expression engines For an explanation of regular expressions see REGEXP 1 a tutorial can be found at REGEXP 2 Visit REGEXP 3 for an online library of common regular expressions
26. Name You can use the PublicKeyLength variable and an ifnot tag to ensure a certain public key size Samples Samples lt ia5string gt lt certificateproperty name CertificateTemplate gt lt ia5string gt 77 true Xtender User Guide requestrdn Tag Tag name Enclosed content requestrdn Text or tags that insert text are ignored No enclosed ASN 1 tags are allowed The content of the specified request RDN is inserted Parameters Tag parameter Presence Description ee The OID of the RDN who s content to insert optional If more than one RDN with the given OID exists a specific RDN can be selected If not defined the first 1 RDN is inserted OIDs for common RDN elements Long name Short name a em p pooo o A a a a a a a a 78 true Xtender User Guide Long name Short name OID Samples Samples lt ia5string gt lt requestrdn oid 2 5 4 3 element 1 gt lt ia5string gt 79 true Xtender User Guide subjectrdn Tag Tag name Enclosed content subjectrdn Text or tags that insert text are ignored No enclosed ASN 1 tags are allowed The content of the specified subject RDN is inserted Note that an empty string is inserted if the subject RDN is not set The subject RDN may be different from the request RDN if the subject DN building of true Xtender is used The subject DN is the DN that will be included in th
27. Syntax Common characters Alphanumeric characters the underscore and punctuations with no special definition see special characters match themselves If all the characters in a pattern are common characters the match operation is just a check if the pattern string occurs in the given text Note Character matching is case sensitive unless IGNORECASE mode is set Special characters Non printable characters Nonprintable characters e g newline tab etc are specified as follows Escape Description 120 true Xtender User Guide Characters for pattern expressions The following characters are used for building the pattern Character Description Ee Match any character except newline n Use to match itself tsesub panera match any imes Use Vito mach set O OO emon Use oman ise Character sets Character set can match any of the characters in the set Standard character sets Description L reana a snae erae ocen te retn S Match any character not in s Match any number 0 9 Match any character not in d Match any alphanumeric character A Z a z 0 9 Match any alpha character A Z a z Match any ASCII character x00 x7F Match any control character x00 x1F x7F 121 Se true Xtender User Guide Description digit Match any number 0 9 Match any printable ASCII character x20 x7E Match any space character x09 x0D x20 Match any
28. Template COMMS Ur ACO casssasceesstissencnisisncssevacntacorueretvsanicwieeneadindea itoni saare emirates 26 Certificate Template Nf Onnianinnnnnnnn inn R a R GRN 26 Enabling or disabling processing of this template ssesssesesesesesssesssseseseseseseseseseses 26 SUSE D o MT AE E E 27 Directory Information Tree RDNs and Distinguished Names 28 Adding a RDN element to the subject DN sssesesesesessssssssssssesesesesesesssesesrsesrsesenesesesese 30 keyon Removing a RDN element Edit a RDN element Samples Keep request DN Using static elements for RDN elements Using the content of request attributes for RDN elements Using the content of request RDNs Using original request RDN element Use request attributes Externally build DN Custom X 509 Extensions Adding custom extensions Edit custom extension files Removing custom extensions Custom extensions definition language Root Tag Loop Tags Illustrated custom extension example EXTENSO Aeron rer Re ann eee ee Variable Related Tags CISTI IAG adecc3sasdecetssedonets padecetespboseieseiosebessiocetei3 EXCEP 10 Pena ne Dra p mPa PenISE SO DP sPPEDTOPPODYDIOEDPOE FOFEAGCH erionit eN true Xtender User Guide keyon foreachsubjectrdn foreachsubjectaltname Request Data Tags requestattribute definerequestattribute requestproperty certificateproperty requestrdn cinsaneidivadtcatecadveatestecnsevedeansecates SUD SCE donessesa SUDjECtAILNAME
29. They have different function at different places so they can be used together The assertions A and Z are used to match only the beginning and end of the string respectively regardless of whether the MULTILINE flag has been specified 125 true Xtender User Guide Regular Expression Test Utility The true Xtender ships with a utility for the design and test of regular expressions After starting the utility the regular expression the desired options and the text to match are entered into the appropriate fields ef keyon true Xtender Regular Expression Test Utility p x Regular Expression 0 9a zA ZK w 0 9a z2A 2 0 9a zA 2 w 0 9a 2A 21 a zA ZH 2 9 Options IM IGNORECASE Input Text info keyon keyon ch TM sINGLELINE T MULTILINE Result when used in custom extension tag Apply regular expression gt gt gt if Click apply regular expression to get result i to et result ifnot Click apply regular expressio define Click apply regular exp By clicking Apply regular expression gt gt gt the input text is matched against the regular expression and the result when used in the different tags if ifnot define is shown ef keyon true Xtender Regular Expression Test Utility p x Regular Expression 0 9a zA ZK w 0 9a z2A 2 0 9a zA 2 w 0 9a 2A 21 a zA ZH 2 9 Options V IGNORECASE I
30. ame extension meet specific requirements As the if and ifnot logic tags allow to specify regular expressions one can easily implement blacklist or whitelist patterns to enforce e g well formed dNSNames or prevent other information in the subjectA tName extension Sample The following configuration will never add an extension as no ASN 1 tags are present and onempty IS set to remove If however any dNSName entry in a requested subject alternative name extension does not end in keyon ch or an iPAddress is present in the extension the certificate will not be issued denied by policy module and the exception text is logged in the event log and returned in the disposition message Adding this configuration as a custom extension will thus enforce that the subjectAltName extension of issued certificates only have dNSNames entries that end in keyon ch and no PAddress entries are present lt xml version 1 0 encoding ISO 8859 1 gt lt extension oid 1 3 6 1 4 1 15486 44322931 2 critical false onempty remove name SubjectAltNameEnforcement gt lt foreachsubjectaltname type dNSName define myDnsName gt lt ifnot name myDnsName match keyon chs matchoptions IGNORECASE gt lt exception gt SubjectAltName policy violation dNSName lt insert name myDnsName gt doesn t end in keyon ch lt exception gt lt ifnot gt lt foreachsubjectaltname gt 112
31. ate If you define custom extensions the custom extensions are automatically added to the allowed extensions list unless the list is empty Some Microsoft specific extensions are required for automated processes like renewal when the Enterprise functionality of Certificate Services is used If those extensions are suppressed such processes may no longer work 115 true Xtender keyon User Guide Adding well known extensions To add a well known extension click on the drop list button 7 under Enter or select an OID and click Add to add it to the list and select the desired extension Enter or select an OID and click Add to add it to the list IBM HostidMapping 1 3 18 0 2 18 1 1 2 840 113549 Application Policies 3 6 1 4 1 311 21 10 Application Policy Constraints 1 3 6 1 4 1 311 21 12 Application Policy Mappings 1 3 6 1 4 1 311 21 11 Archived Key Certificate Hash MELET a 21 16 Authority Information Access 1 3 6 1 5 5 7 1 1 Authority Key Identifier 2 5 29 1 Authority Key ldentifior 2 5 29 35 Basic Huet 5 29 1 a Basic Constraints 29 19 CA Version TESES 311 A 1 Aa a The list shows all OIDs known to Microsoft Windows as well as any custom extensions defined for this certificate template with the keyon true Xtender Note that some extensions are present with multiple OIDs e g Basic Constraints due to historical reasons Make sure you use the correct OID if multiple OIDs are available fo
32. ate format string for the ASN 1 date is inserted See timenow for format string elements E g the format string sd sm Y H M S will create a date string like 18 01 2007 23 00 00 For the ASN 1 GeneralizedTime tag the format to use would be y m dSH M SZ For the ASN 1 UTCTime tag the format to use would be y msdSHSM SZ Parameters Tag parameter Presence Description offset optional A positive or negative offset in seconds that is added to the current time before formatting the date round optional If defined the time in UTC with optional added offset is rounded to the next multiple of round If rouna is e g 60 the seconds part of the inserted date will always be 0 If offset is set to 3600 and round set to 3600 the date string will contain the latest full hour before the current date Samples Samples lt generalizedtime gt lt timenowutc gt lt generalizedtime gt lt timenowutc offset 31536000 gt d m SY H 3M S lt timenowutc gt 85 true Xtender User Guide Data Lookup Tags adsquery Tag Tag name Enclosed content adsquery Only placeholder tags are permitted No enclosed ASN 1 tags are allowed Query an Active Directory Service using a search filter and insert the contents of a specified attribute if a matching entry is found Parameters Tag parameter Presence Description binding optional The server domain and or base path to use for the query using LDAP ADsPath syn
33. backup of the current true Xtender configuration as well as all custom extension files configured Backup true xtender configuration Note that the backup procedure is silent i e no confirmation is shown after the backup is created This allows creating regular backups using a scheduled job Each backup is stored in a separate sub folder using the current date and time as the folder name G C Program Files truextender backup 5 x gt Back v P A search gt Folders i gt gt X 19 m Address E CihProgram Filesttruextenderibackup O OZO ge Size Type Date Modified Attributes 20070307 _204934 File Folder 07 03 2007 20 49 C 1 objects 0 bytes 2 My Computer Each backup folder contains a backup of the true Xtender registry settings as well as copies of all configured custom extension definition files Backup folders are not removed if you uninstall the keyon true Xtender 14 true Xtender keyon User Guide Restoring a true Xtender configuration from a backup In the true Xtender start menu select Backup Configuration backups to open the backup root folder i Backup gt Configuration backups C Program Files truextender backup 5 xj Fle Edt View Favorites Tools Help a 3 Back F A search Fy Folders i X 19 Ely g Address O C Program Files truextender backup EPRE Date Modified File Folder 07 03 2007 20 49
34. bute OID 1 3 6 1 4 1 311 13 2 3 present that contains version information about the client operating system on which the certificate request was generated the contents is available as a string in the following property Request Property Name Description Request CSR Attribute OSVersion The client operating system version information If the request has a REQUEST_CLIENT_INFO attribute OID 1 3 6 1 4 1 311 21 20 present that can be used to identify the client that generated a certificate request the contents are available in these properties Request Property Name Description Request CSR Attribute ClientI ClientI The type of client application that generated the request Request CSR Attribute ClientI MachineName The Domain Name System DNS name of the computer that generated the request Request CSR Attri i I ProcessName The name of the application that generated the request Request CSR Attri i I UserName The Security Accounts Manager SAM name of the user If the request has an ENROLLMENT_CSP_PROVIDER attribute OID 1 3 6 1 4 1 311 13 2 2 present that identifies the cryptographic provider used by the entity requesting the certificate the contents are available in these properties Request Property Name Description Request CSR Attribute EnrollmentCSP CSPName The provider name Request CSR Attribute EnrollmentCSP KeySpec JA value that identifies whether t
35. c EFS EFS Recovery Agent Enrollment Agent Exchange Enrollment Agent Offline request Exchange User Exchange Signature Only IPSec Offline request IPSec Key Recovery Agent Cornmiter The actual template processing page contents and options depend if an Enterprise CA or a Standalone AC is used You can open the dialog to configure a specific template by selecting the entry and click the Edit button or by double clicking the certificate template name Enterprise CA Types true Xtender will always show all certificate templates found in the Active Directory even if the CA supports only a subset of the certificate templates The dialog shows the template display names 19 true Xtender User Guide Standalone CA Types Certificate Services for Standalone CAs do not support certificate templates on their own However true Xtender provides a means to add templates even for standalone CAs Managing standalone templates The default template The keyon true Xtender automatically adds a default template with name default when used with a standalone CA type By default the true Xtender processing for the default template is deactivated however keyon true Xtender Properties x Template Processing Delegate Policy Configuration License About Certificate Template Processed default No The default template is used for all certificate requests for which no certificate template is specified See belo
36. ct ensures that no ipAddress is present in the SubjectA tName lt foreachsubjectaltname type otherNameOID define myOID gt lt ifnot name myOID value 1 3 6 1 4 1 311 20 2 3 gt lt exception gt SubjectAltName may not contain otherNam ntries other than UPN lt exception gt lt ifnot gt lt foreachsubjectaltname gt This construct ensures that the only otherName entries present in the SubjectAltName are of type user principal name 68 true Xtender User Guide Request Data Tags requestattribute Tag Enclosed content requestattribute Text or tags that insert text are ignored No enclosed ASN 1 tags are allowed The content of the named request attribute is inserted Note that an empty string is inserted if the request attribute is not set Parameters Tag parameter Presence Description The request attribute whose content to insert ignorecase optional Defines if the request attribute name is matched case insensitive t rue or if an exact match is required false If not defined the case must match exactly false Samples Samples lt ia5string gt lt requestattribute name email gt lt ia5string gt Request attributes are attributes that are passed along with request but are not part of the signed request itself 69 true Xtender User Guide definerequestattribute Tag Tag name Enclosed content definerequestattribute Only text or ta
37. defined character sets sap gesccescsascsescceveresconseeetesussoescevoressonseectosasseesecenoustaneer 122 Repeat guantifiefSsenenss encuenta N 123 Standard qUantifierS siessen sororia ena es aeiae i 123 Reluctant quantifier S esc scsisiccesisscccensicds cuesssacdes audaasencdds ucndasacdesdudascsudcdasuenedsacceasddecntuccadene 123 Possessive antifierSsrsia a R 124 Charact r bDoundarieS scisicnsiininncsienniriniiennita neni innir n ananahi 124 Alternative expressionS eesesesessesesesessesesesesoesesesesoesesesosoesesesosoeesesosoesesrsosoesesesoroesesese 124 GOUINE sisses ersin enr nE E NE EE eE E EEA SEE EESE RSEN EA OEE TOE EOT REO Ni 124 OS E ETET E eee eelanemaaee 125 Regular Expression Test Utility eessesessseeseeseesseseeesessseseesseessessreseessesseesressesseeseessesee 126 Common Problems ssriisisisieiniine creeerde iiie retu endende pee sii sa i irio e iien ai od eireso eiet a Kae 127 true Xtender User Guide PRBS ET ICES so ss E A eee tienen sun ones eauns on A E ad NaINaa ARO nen 128 TONS E E A A tanta routes atoms tadenbuaaednniannaanareaeriae 128 US ANS iti as ccc cab idan neta Doha arate meen ad EE 128 129 keyon true Xtender User Guide Overview What it is the keyon true Xtender keyon true Xtender is a policy module for Certificate Services included in Microsoft Windows Server 2003 that allows to alter the subject DN and X 509 extensions of certificates issued with Certificate Services
38. e certificate and may differ from the request DN Parameters Tag parameter Presence Description oia mandatory The OID of the RDN who s content to insert optional If more than one RDN with the given OID exists a specific RDN can be selected If not defined the first 1 RDN is inserted See requestrdn for a list of OIDs for the most common RDN elements Samples Samples lt ia5string gt lt subjectrdn oid 2 5 4 3 element 1 gt lt ia5string gt 80 true Xtender User Guide subjectaltname Tag Tag name Enclosed content subjectaltname Text or tags that insert text are ignored No enclosed ASN 1 tags are allowed The content of the specified SubjectA tName element is inserted Parameters Tag parameter Presence Description type mandatory The type of the SubjectA tName element who s content to insert See the table below for a list of available types element optional If more than one element of the given type exists a specific element can be selected If not defined the first 1 element is inserted SubjectAltName Element Types Description otherNameOl This is an artificial type which will return all OIDs of present otherName_ entries in the SubjectAltName Useful in conjunction with the foreachsubjectaltname tag otherName lt o d gt String or otherName entry matching the given OID in Hex String brackets either as a string in case the value represent
39. e contents or contents of the original request DN After clicking the nsert button the new element is inserted in the list of RDNs Subject DN no entries Subject DN given in the request is used Ordered RDN Components de ch Up de keyon en lt RequestRDN 2 5 4 3 1 gt Remove il Empty elements are not added to the subject DN If variables are used and the value is empty i e after the expansion the element reads something like cn the element will not be included You can use the custom extension function with a not included empty extension that just checks that required elements are present Using static elements for RDN elements Static elements are simply entered like dc keyon dc keyon dc ch O If the static text contains one of the following special characters pS ee the whole RDN value expression right to must be quoted using the character If the RDN value itself contains a character it must be double quoted Samples To insert the organization name keyon Inc you must enter it as O Vkeyon Ine y To insert the organization name keyon 7a Inc you must enter it as oSVikeyom mila itive 30 true Xtender keyon User Guide Using the content of request attributes for RDN elements The following syntax is used to insert the content of a request attribute lt RequestAttribute name gt Where name is the case sensitive name of the request attribute whose cont
40. ed Types sequence Tag Tag name Enclosed content sequence Only enclosed ASN 1 tags of any type are allowed No text or tags that insert text are permitted Parameters Tag parameter Presence Description includeempty optional If set to true the sequence will be included even if it does not contain any enclosed objects If set to false empty sequences are not included Default behavior is to include empty sequences This parameter is usually used when the contents of a sequence are added using conditional tags like if or ifnot Samples Samples lt sequence gt lt objectid gt 1 2 840 113549 1 1 5 lt objectid gt lt null gt lt sequence gt Generated ASN 1 representation SEQUENCE OBJECT IDENTIFIER 1 2 840 113549 1 1 5 NULL 107 true Xtender User Guide Enclosed content Only enclosed ASN 1 tags of any type are allowed No text or tags that insert text are permitted Tag parameter Presence Description Parameters includeempty optional If set to true the set will be included even if it does not contain any enclosed objects If set to false empty sets are not included Default behavior is to include empty sets This parameter is usually used when contents of a set are added using conditional tags like if or ifnot Samples Samples lt set gt lt sequence gt lt iaSstring tag 1 gt IBM HOST PLATFORM lt ia5string gt lt ia5string tag
41. ents are to be inserted Note that the request attribute may also contain the RDN type string e g cns You can provide the complete DN in a request attribute Simply leave out the static RDN prefix You can add or change request attributes within the keyon true Xtender processing scope in a custom extension by using the lt definerequestattribute gt tag Samples cn lt RequestAttribute firstname gt lt RequestAttribute surname gt If the request attribute firstname contains John and the request attribute surname contains Doe the RDN created would be cn John Doe The use of ensures that names containing special characters lt gt are inserted correctly The surrounding quotes are not inserted into the resulting RDN it is thus always safe to use quotes lt RequestAttribute newdn gt If the request attribute newdn contains cn John Doe dc keyon dc ch the DN created would be cn ohn Doe dc keyon dc ch if no other RDN elements are configured However you must make sure that the DN provided in the attribute uses appropriate quoting if some RDN elements contain special characters 31 true Xtender keyon User Guide Using the content of request RDNs The following syntax is used to insert the content of a RDN from the original request lt requestrdn oid element gt Where oid is the OID of the RDN whose contents are to be inserted and e ement is the number of the RDN to use if multiple RDNs
42. fine the Certificate Policies extension using the XML description language You can also overwrite any standard extension included by the Certificate 40 true Xtender User Guide Illustrated custom extension example As an example we want to include the non critical IBM hostidMapping extension if the certificate request has the attribute hostid Set If the request attribute is not set we do not want to include the extension This example will show the use of most available tag groups that are provided for custom extensions The hostidMapping extension OID 1 3 18 0 2 18 1 is an IBM extension also available for public use RACF automatically maps a valid certificate to the RACF user ID provided in the extension The ASN 1 definition taken from the IBM documentation is as follows id ce hostIdMapping OBJECT IDENTIFIER 1 3 18 02 18 1 HostIdMapping SEQUENCE hostName 1 MPLICIT IA5String subjectId 2 IMPLICIT IA5String To achieve our goal the following XML definition for the extension is created lt xml version 1 0 encoding ISO 8859 1 gt lt DOCTYPE extension SYSTEM trueXtender 2 3 3 dtd gt lt extension oid 1 3 18 0 2 18 1 critical false onempty remove name IBM HostIdMapping gt lt define name hostid gt lt requestattribute name hostid gt lt define
43. gs that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text will be assigned to the request attribute but only in the scope of the true Xtender request processing i e the attribute set is not stored in the certificate services database You can however access such a defined attribute for the true Xtender DN building Parameters Tag parameter Presence Description The request attribute to define or overwrite Samples Samples lt definerequestattribute name newCommonName gt lt subjectaltname type dnsName gt lt definerequestattribute gt Request attributes defined using definerequestattribute are only available in true Xtender custom extensions and for subject DN building with true Xtender Note that the request attribute name specified in DN building using lt RequestAttribute name gt is case sensitive Make sure that the name specified in the name attribute of definerequestattribute matches the name given in requestattribute exactly 70 true Xtender User Guide requestproperty Tag Tag name Enclosed content requestproperty Text or tags that insert text are ignored No enclosed ASN 1 tags are allowed The content of the named request property is inserted Note that an empty string is inserted if the request property is not set Parameters Tag parameter Presence Description The request property whose content to insert The following table l
44. gt lt if name hostid gt lt sequence gt lt 1aSstring tag 1 gt SAMPLE HOST NAME lt lasstring gt lt ia5string tag 2 gt lt tolower gt lt insert name hostid gt lt tolower gt lt ia5Sstring gt lt sequence gt lt f Lt gt lt extension gt 41 true Xtender keyon User Guide The following gives a description of the tags used in the example The tag names are not case sensitive However if DTD validation is used when authoring the XML file the tag names must be in lower case XML header optional lt xml version 1 0 encoding ISO 8859 1 gt The XML version always 1 0 and the character set encoding are specified Note that the header is optional but its use is recommended DOCTYPE Declaration optional lt DOCTYPE extension SYSTEM trueXtender 2 3 3 dtd gt DTD validation is not performed by true Xtender when loading the XML file However adding the DOCTYPE declaration along with the DTD file may help authoring extensions with editors that use the DTD for syntax validation XML comments XML comments can be used to include descriptions or to comment out elements Extension definition lt extension oid 1 3 18 0 2 18 1 critical false onempty remove name IBM HostIdMapping gt lt extension gt The extension tag defines the OID of the extension the criticality the display name in the true Xtender GUI and defines if the ac
45. he DN from the Subject of the certificate request Request SurName The surname attribute of the DN from the Subject of the certificate request Request Title The title attribute of the DN from the Subject of the certificate request Request UnstructuredAddress The unstructured address attribute of the DN from the Subject of the certificate request Request UnstructuredName The unstructured name attribute of the DN from the Subject of the certificate request Depending on how the request was created most of the properties will not be set The most useful properties is Request RequesterName which contains the user raising the request in the form DOMAIN userid In addition to the standard request properties available to a policy module the keyon true Xtender extracts information from the certificate signing request CSR and makes them available as request properties The type of the CSR is available in the following property Request Property Name Description Request CSR Type The type of the certificate signing request The following types are defined PKCS7 PKCS10 CMC or KEYGEN Note that the properties in the CSR are added by the client as part of the request and may not contain authenticated information Using specific software a client could easily forge e g the REQUEST_CLIENT_INFO to include arbitrary user and machine names 73 true Xtender User Guide If the request has an OS_VERSION attri
46. he Windows Event Log true Xtender keyon User Guide Request processing with true Xtender The request flow when true Xtender is installed and Certificate Services processes a certificate request is as follows Verify request v Call Microsoft Policy Module true Xtender processing Return BAD Return MS Ga Return MS Policy Return Error aa disposition Ga Disposition 1 The delegate policy module is called usually the original Microsoft Policy Module to process the request If the request fails of the template must not be processed by true Xtender the request processing stops 2 Custom X 509 extensions are optionally added according to the configuration for the template used 3 Unwanted X 509 extensions are optionally removed according to the configuration for the template used 4 The subject DN is optionally altered according to the configuration for the template used true Xtender keyon User Guide Installation keyon true Xtender is shipped as a Windows Installer MSI package Simply double click the installation file provided If you are installing the true Xtender on a 64 Bit Microsoft Server System you must install the 64 Bit true Xtender installation package The 32 Bit true Xtender cannot be used on a 64 Bit system The installation is the started and shows mainly the following four screens 1 ig keyon true Xtender Setup 2 ig keyon true xtender Setup sio
47. he key pair stored by the provider or key container is used for encryption or for signing content 74 true Xtender User Guide If the request has an ENROLLMENT_NAME_VALUE_PAIR attribute OID 1 3 6 1 4 1 311 13 2 1 present that contains generic name value pairs the name value pairs are available in these properties Request Property Name Description Request CSR Attribute NameValuePair name Where name is the name of the value One of the well known name value pairs is the certificate template requested by the client which is available in the property Request CSR Attribute NameValuePair CertificateTemplate If the request is of type KEYGEN or has a Challenge Password according to PKCS 9 OID 1 2 840 113549 1 9 7 present the contents is available as a string in the following property Request Property Name Description Request CSR Attribute ChallengePassword The challenge password i e the request was posted using the SCEP protocol the Request CSR Attribute ChallengePassword contains the password created by NDES Together with the adsquery tag and the subject name building capabilities of true Xtender this property can be used to ensure that a network device cannot get a certificate for a common name other than the one intended for this specific device It is thus possible with little additional effort to mitigate the known vulnerability in SCEP documented by the US CERT Vulnerability Note VU 971035 S
48. he list of custom extensions 38 true Xtender keyon User Guide Extension OID IBM HostldMapping 1 3 18 0 2 18 1 In case of an error in the XML description of the custom extension the kind of error and if possible the location in the input file line column is shown keyon true Xtender x X Invalid true Xtender x 509 extension template Custom extension error 29 4 End tag if does not match the start tag nuf Correct the problem and try to add the extension again Edit custom extension files Select the extension and click the Edit button to start the text editor with the custom extension file opened If Certificate Services is running the following message will be shown to remind you that custom extensions are only loaded at startup of Certificate Services keyon true Xtender a xi 1 Certificate Services must be restarted if you alter the extension template If the custom extension file is not valid after editing Certificate Services will not start Check the Event Log for details on the error In order to check the file in the configuration dialog you can remove it and add it again 39 true Xtender keyon User Guide Removing custom extensions Simply select the extension and click the Remove button to remove a custom extension G The external file with the custom extension is not removed and can be added again Custom extensions definition language The custom extension i
49. hrown if the search returns more than one matching entry Defaults to 1 The index of the attribute value in the matching entry to use in case of multi valued attributes The first attribute value uses index 1 Defaults to 1 The sorting order of the attribute values Can be asc for ascending order default or desc for descending order Used to ensure that order of attributes returned is always the same if multiple queries are executed to get all attribute values The maximum number of values the specified attribute in the matching entry may contain If the attribute is a single value attribute normal case 1 must be specified so that an exception is thrown if the attribute contains more than one value Defaults to 1 The attribute name whose value to insert upon success You can specify ordinary e g userPrincipalName as well as constructed e g distinguishedName attributes Note that only attributes that are of string form can be inserted 87 true Xtender User Guide Tag parameter Presence Description searchfilter mandatory The LDAP search filter to use for the query The filter uses LDAP filter syntax and can contain placeholders of the form name that are quoted and inserted into the filter before the query is executed Note that you must insert the amp operator as amp amp due to XML restrictions Some servers may not work correctly if the filter string is split over multiple lines An
50. id gt lt requestattribute name algorithm gt lt objectid gt 98 true Xtender User Guide character string types Tag Tag name Enclosed content ia5string Only text or tags that insert text are permitted No numericstring enclosed ASN 1 tags are allowed Note that depending on universalstring the chosen string type character set limitations apply bmpstring Consult an ASN 1 reference manual for details utf8string i teletexstring Leading and trailing whitespace is removed You may visiblestring need to use the XML syntax lt CDATA text gt Ifyou generalstring want to enter static special characters printablestring Note that the more esoteric character string types like VideotexString are not supported as they are not used with X 509 extensions You must ensure that the character string given uses only valid characters for the selected character string type Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt printablestring gt 123456789abcdef lt printablestring gt Generated ASN 1 representation PrintableString keyon lt ia5string tag 2 gt userl lt iaS5string gt Generated ASN 1 representation 2 userl lt ia5string gt lt requestattribute name upn gt lt ia5string gt 99 true Xtender User Guide date string types Tag Tag
51. imple Certificate Enrollment Protocol SCEP does not strongly authenticate certificate requests G If the request was processed by the Network Device Enrollment Service NDES Other request attributes that consist of only string content are available as a string in the following property Request Property Name Description Request CSR Attribute oid Where oid is the OID of the string attribute 75 true Xtender User Guide Samples Samples lt ia5string gt lt requestproperty name Request RequesterName gt lt ia5string gt lt define name CSRType gt lt requestproperty name Request CSR Type gt lt define gt lt ifnot name CSRType value PKCS10 gt lt exception gt Only PKCS 10 request types allowed lt exception gt lt ifnot gt 76 true Xtender User Guide certificateproperty Tag Tag name Enclosed content certificateproperty Text or tags that insert text are ignored No enclosed ASN 1 tags are allowed The content of the named certificate property is inserted Note that an empty string is inserted if the certificate property is not set Parameters Tag parameter Presence Description The certificate property whose content to insert The following table lists the certificate properties that are available using the certificateproperty tag Note however that not all certificate properties may be available for every request Certificate Property
52. is given If you use regular expressions make sure that the regular expression is designed correctly See section Regular expressions for details about regular expressions 54 true Xtender User Guide Samples Samples lt ifnot name email gt lt exception gt Email address is not defined lt exception gt lt ifnot gt lt ifnot name CN match keyon chs matchoptions IGNORECASE gt lt exception gt CN given lt insert name CN gt doesn t end in keyon ch lt exception gt lt ifnot gt This construct would prevent the use of a CN which does not end in keyon ch 55 true Xtender User Guide ifcontains Tag Tag name Enclosed content ifcontains Only enclosed tags are allowed The enclosed tags will be added to the custom extension if the content of the specified element variable is present in the tokenized content of the list variable Parameters Tag parameter Presence Description name mandatory The variable to check for the presence of element s content after tokenizing its own content delimiters optional The delimiters to use when tokenizing the content of name Multiple delimiters including the space character can be specified If not defined the variable name will be tokenized at any white space character element mandatory The variable whose content must be present in the tokenized content of name ignorecase optional Defines if the loo
53. is set to remove If however the first CN element of the subject name given in the certificate request does not end in keyon ch the certificate will not be issued denied by policy module and the exception text is logged in the event log and returned in the disposition message Adding this configuration as a custom extension will thus enforce that the CN of issued certificates always have a content that ends in keyon ch lt xml version 1 0 encoding ISO 8859 1 gt lt extension oid 1 3 6 1 4 1 15486 44322931 1 critical false onempty remove name CommonNameEnforcement gt lt define name cn gt lt requestrdn oid 2 5 4 3 element 1 gt lt define gt lt ifnot name cn match keyon ch gt matchoptions IGNORECASE lt exception gt The common name given lt insert name cn gt does not end in keyon ch lt exception gt lt s ifnot gt lt extension gt 111 true Xtender User Guide You must specify an OID that meets certain requirements to be valid You can use the OID 1 3 6 1 4 1 15486 44322931 n where n gt 1 to have a valid OID if your company does not already have its own OID range which you can use Using a custom extension definition to enforce subjectAltName extension requirements You can define a custom extension that is always empty and will never be included in the certificate for the sole purpose of ensuring that parts of the subjectA tN
54. istinguishedName is returned You can use define and ifnot tags to raise an exception in this case and abort the issuance of the certificate with an exception 90 true Xtender User Guide Testing your search filters using dsquery You can use the dsquery command line tool that is part of the Windows Server installation to engineer and check your search filters Sample all on one line gt dsquery domainroot attr userPrincipalName filter amp sAMAccountName userl1 objectCategory person objectClass user Output if the user is found and the userPrincipalName attribute is defined userPrincipalName userl keyon ch Don t forget to enter a amp operator in a search filter as camp inthe true Xxtender XML file since the ampersand is a reserved character in XML Samples Samples lt adsquery attribute userPrincipalName searchfilter amp amp SAMAccountName sAMAccountName objectCategory person objectClass user gt This will search a user record in the domain where the Certificate Services server is a member of with a sAMAccountName attribute value that is equal to the contents of the variable sAMAccountName If exactly one user record is found and the userPrincipalName attribute contains a single value the contents of the userPrincipalName are inserted to the enclosing tag lt adsquery attribute distingishedName searchfilter amp amp sAMAccountName 1 objectCategory
55. ists the request properties that are available using the requestproperty tag Note however that not all request properties may be available for every request Request Property Name Description Request CallerName The user or machine context that submitted the certificate request to the CA Request CommonName The common name attribute of the DN from the Subject of the certificate request Request Country The country attribute of the DN from the Subject of the certificate request Request DeviceSerialNumber The device serial number attribute of the DN from the Subject of the certificate request Request Di iti The request disposition code ion Message The text description Request Disposition Request Disposition Message is for presentation to a user and can contain any text string including NULL that the implementer considers informative Request DistinguishedName The distinguished name DN from the Subject attribute of the certificate request 71 true Xtender User Guide Request Property Name Description Request DomainComponent The domainComponent attribute of the DN from the Subject of the certificate request Request EMail The EmailAddress attribute of the DN from the Subject of the certificate request Request GivenName The given name also called first name attribute of the DN from the Subject of the certificate request Request Initials The initials attribute of the DN fro
56. kup in the tokenized list is performed case insensitive true or if an exact match is required false If not defined a case insensitive match is used true 56 true Xtender User Guide Samples Samples lt define name invalidDomains gt google com microsoft com paypal com lt define gt lt define name domain gt lt requestattribute name domain gt lt define gt lt ifcontains name invalidDomains element domain gt lt exception gt Restricted domain specified lt exception gt lt ifcontains gt This construct would ensure that the request attribute domain is not in the list of invalid domains i e is not google com microsoft com or paypal com 57 true Xtender User Guide ifnotcontains Tag Tag name Enclosed content ifnotcontains Only enclosed tags are allowed The enclosed tags will be added to the custom extension if the content of the specified element variable is not present in the tokenized content of the list variable Parameters Tag parameter Presence Description name mandatory The variable to check for the absence of element s content after tokenizing its own content delimiters optional The delimiters to use when tokenizing the content of the variable name Multiple delimiters including the space character can be specified If not defined the variable name will be tokenized at any white space characters element mandatory The variable whose con
57. le The Application Event Log will now show two entries whenever Certificate Services are started B Event iewer o File Action Yiew Help e Amerie E Event viewer Local Application 58 event s i Application j Security Os 19 01 2007 23 58 29 CertSvc None 26 nja KEYON YO x Hj System Information 19 01 2007 true xtender Information 19 01 2007 23 58 29 ESENT ead 100 NIA KEYON YO m Information 19 01 2007 23 58 28 CertSvc None 38 Nia KEYON YO Information 19 01 2007 23 58 27 ESENT General 101 Nia KEYON YO hal Event Properties re Event Event Properties Te Event Date 19 01 2007 Source true Xtender Time 23 58 29 Category None Type Information EventID 1 User N A Computer KEYON YOO1E7RDB Date 19 01 2007 Source CertSve Time 23 58 29 Category None Type Information EventID 26 User N A Computer KEYON YOO1E7RDB Description Certificate Services for Demo Standalone Root was started Description keyon true tender loaded For more information see Help and Support Center at Data Bytes Words Date Bytes C Words 13 true Xtender User Guide Backup and restore Creating a backup of the current true Xtender configuration The true Xtender start menu contains a sub menu Backup I Backup gt Selecting Backup true Xtender configuration from the Backup sub menu will create a
58. ll allowing the rest of the pattern to match Standard quantifiers Quantifier Description m n Match least m times and at most n times Example ba 1 3 will match ba baa and baaa m Match least m times Example w d 2 will match a12 x456 Reluctant quantifiers If a quantifier is followed by a question mark it becomes a reluctant quantifier Reluctant quantifiers will match the minimum number of times possible Quantifier Description Match only m times if possible at most n times Match only m times if possible can match as many times as necessary Match 0 time if possible at most 1 time Equivalent to 0 1 Match only 1 time if possible can match as many times as necessary l Match 0 time if possible can match as many times as necessary 0 123 true Xtender User Guide Possessive quantifiers If a quantifier is followed by a plus it becomes a possessive quantifier Possessive quantifiers will greedily match as much as they can and do not back off even when doing so would allow the overall match to succeed Quantifier Description Match n times if possible m times at least Match as many times as possible m times at least Match 1 time if possible match 0 time if could not equivalent to 0 1 Match as many as possible 1 times least Equivalent to 1 Match as many as possible 0 times if could not match Equivalent to O Character bounda
59. llowed The expanded text will be considered a distinguished name and the order of the relative distinguished elements is reversed Parameters Tag parameter Presence Description If the expanded text is not a distinguished name depending on the structure either an empty string is inserted or an exception is thrown Samples Samples lt reversedn gt CN User DC keyon DC ch lt reversedn gt Would insert the text Dc ch DC keyon CN User as the result of the reverse DN operation 94 true Xtender User Guide iptohexstring Tag Tag name Enclosed content iptohexstring Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text will be considered an IPv4 or IPv6 address and the binary representation of the IP address in network byte order is returned as a hex string e g for use in the octetstring tag The type of IP address v4 or v6 is detected automatically and the generated hex string represents either 4 bytes IPv4 or 16 bytes IPv6 Parameters Tag parameter Presence Description An exception is thrown if the expanded text is not a valid IPv4 or IPv6 address Note that for IPv4 addresses the numbers are treated as octal base 8 if leading zeroes are used 010 020 030 040 is thus not the same as 10 20 30 408 010 020 030 040 gt 08101820 10 20 30 40 gt 0A141E28 Samples Samples lt octetstring tag 7 gt lt iptohexstring gt lt
60. m the Subject of the certificate request Request Local The locality attribute of the DN from the Subject of the certificate request Request Officer Indicates whether the caller is the certificate manager of the entity that corresponds to the Request RequesterName Request OrgUnit The organizational unit attribute of the DN from the Subject of the certificate request Request Organization The organization attribute of the DN from the Subject of the certificate request Request RequestAttributes The certificate request attributes as defined in MS WCCE Request RequestFlags Additional certificate request information Request RequestType The type or format of a certificate request such as PKCS 10 or the Cryptographic Message Syntax CMS standard with Common Messaging Calls CMC as specified in RFC2797 Request RequesterNam The RequesterName that is included in the certificate request Request SignerApplicationPolicies The list of valid Extended Key Usage OIDs for each signer certificate from the certificate request 72 true Xtender User Guide Request Property Name Description Request SignerPolicies The list of valid certificate policy OIDs for each signer certificate from the certificate request Request State The state or province name attribute of the DN from the Subject of the certificate request Request StreetAddress The street address attribute of t
61. n true Xtender Start the Certificate Services Management console by selecting Start Administrative Tools Certificate Authority Administrator 11 true Xtender keyon User Guide Select Properties in the context menu of the CA ication Authority Select the Policy Module tab in the properties dialog shown to view the currently active policy module Demo Standalone Root Properties Click Select to change the policy module The popup dialog will now list the keyon true Xtender policy module Set Active Policy Module Windows defaut kevon true stender for Microsoft CA Select the keyon true Xtender policy module from the list and click OK 12 true Xtender User Guide The description of the active policy module will now show the keyon true Xtender properties Description of active policy module Name keyon 7 true Xtender for Microsoft CA Description Policy module for Microsoft Certificate Services Version v2 0 0 Copyright c 2007 keyon After clicking OK or Apply in the CA properties dialog the new policy module will be used If Certificate Services is currently running the following dialog will be shown Certification Authority q x You must restart Certificate Services for the changes to take effect Do you want to restart the service now Click Yes to restart Certificate Services and activate the keyon true Xtender policy modu
62. n gt lt ifnot gt 113 true Xtender keyon User Guide lt define name upn gt lt adsquery attribute userPrincipalName searchfilter amp sAMAccountName sAMAccountName objectCategory person objectClass user gt lt define gt lt ifnot name upn gt lt exception gt The UPN could not be found in the Active Directory lt exception gt lt ifnot gt lt definerequestattribute name userPrincipalName gt lt insert name upn gt lt definerequestattribute gt lt extension gt 114 true Xtender keyon User Guide Allowed X 509 Extensions Certificate Template Info bject DN Building Custom X 509 Extensions Allowed 509 Extensions b The Allowed X 509 Extensions tab allows restricting the X 509 certificate extensions that will be included in the certificate Extensions that are not in the list will not be included in the certificate This functionality can be used to suppress Microsoft specific extensions like Certificate Template Name xi Certificate Template Info Subject DN Building Custom 509 Extensions Allowed X 509 Extensions Allowed X 509 Extensions none all extensions are allowed p Extension OID Basic Constraints 25 29 19 Key Usage 25 29 15 Enter or select an OID and click Add to add it to the list F Cancel Apply If you do not specify any extensions all X 509 extensions added by the Microsoft policy module will be present in the certific
63. nput Text info keyon keyon ch TM sINGLEUINE T MULTILINE Result when used in custom extension tag f Apply regular expression gt gt gt A iE ar A E E if false ifnot true define Exit In this case false for the if tag means that the enclosed content would not be considered when processing the extension template as the match failed As nothing was matched define would assign an empty string to the variable The sample shows a regular expression which checks for a valid email address You can change the regular expression or the input text and click Apply regular expression gt gt gt to execute the match with the new data ef keyon true Xtender Regular Expression Test Utility x Regular Expression 0 9a zA Z w 0 9a zA 2 0 9a 2A 2 w 0 9a zA 2 a zA ZH2 9 Options IV IGNORECASE Input Text info keyon ch 7 SINGLELINE T MULTILINE Result when used in custom extension tag if true ifnot false define info keyon ch Exit 126 true Xtender keyon User Guide Common Problems The following list shows some common errors when using keyon true Xtender Unable to configure true Xtender using the configuration application after installation When the true Xtender configuration is started using the supplied configuration application Configure true Xtender you may encounter the following error keyon true Xtender Configuration
64. nsertion mechanism is a very powerful feature of the keyon true Xtender that allows describing X 509 certificate extensions using a XML based description Since the description allows inserting dynamic content like request attributes or request subject DN elements even extensions that contain data specific to the certificate holder like e g logon id can be easily created without the need to implement additional code A few sample extensions are installed with the keyon true Xtender and are available through a link in the keyon true Xtender start menu entry The creation of custom extensions requires knowledge of ASN 1 types and structures While true Xtender checks the custom extension XML file for syntax and ensures that only valid DER encoded ASN 1 structures are created unless raw ASN 1 data is inserted it cannot not ensure that the ASN 1 structures comply with the actual definition of a specific extension If not defined properly the generated extension may not be parsed by clients correctly which may ultimately result in a crash of an application that uses the certificate See the reference sections for literature and tools that will help you when you are going to create custom extensions Services policy module using the custom extensions mechanism If you want to add e g a Certificate Policies extension that is different for a specific certificate type simply create a custom extension with the certificate policies OID and de
65. nsion will not be included in the certificate if it does not contain any ASN 1 elements The includeempty parameter is deprecated Please use the onempty parameter instead which provides more options onempty optional Defines the behavior when the evaluation of the extension contents results in an empty ASN 1 structure include Include the extension with empty content remove Do not include the extension original Insert the extension provided by the original policy module if present Aborts the request processing with an error If not present defaults to remove 45 true Xtender User Guide Samples Samples lt extension oid 1 3 18 0 2 18 critical false name IBM HostIdMappings gt lt set gt lt sequence gt lt iaSstring tag 1 gt IBM HOST PLATFORM lt iaSstring gt lt ia5string tag 2 gt userl lt iaS5string gt lt sequence gt lt set gt lt extension gt lt extension oid 2 5 29 17 critical false onempty original name SubjectAltName gt lt sequence includeempty false gt lt define name dnsName gt lt requestattribute name dnsName gt lt define gt lt if name dnsName gt lt ia5string tag 2 gt lt insert name dnsName gt lt ia5string gt lt if gt lt sequence gt lt extension gt 46 true Xtender User Guide Variable Related Tags define Tag Tag name Enclosed content define Only text or tags that insert text a
66. nt to enumerate If no element with the given OID is present the enclosed tags are not evaluated See subjectaltname for a list of available types define mandatory The name of the temporary variable to define with the SubjectAltName elements of the given type This variable is only available to the enclosed tags reverse optional If true reverses the order in which the elements of the given type found in the SubjectA tName are passed to the enclosed tags If not defined or false elements are processed in the order they appear in the SubjectA tName Make sure that the name of the temporary variable specified with define is unique and does not overwrite any other existing variable 67 true Xtender User Guide Samples Samples lt foreachsubjectaltname type dNSName define myDnsName gt lt ifnot name myDnsName match keyon tests matchoptions IGNORECASE gt lt exception gt SubjectAltName policy violation dNSName lt insert name myDnsName gt doesn t end in keyon test lt exception gt lt ifnot gt lt foreachsubjectaltname gt This construct ensures that all dNSName entries present in the SubjectA tName are fully qualified domain names ending in keyon test lt foreachsubjectaltname type ipAddress define myIpAddress gt lt exception gt SubjectAltName may not contain ipAddress entries lt exception gt lt foreachsubjectaltname gt This constru
67. olean Tag Tag name Enclosed content boolean Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text is evaluated as follows If the text is true case insensitive after removing heading and trailing white space the ASN 1 boolean is set true Any other content will set the ASN 1 boolean to false Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt boolean gt true lt boolean gt Generated ASN 1 representation BOOLEAN TRUE lt boolean tag 1 gt false lt boolean gt Generated ASN 1 representation 1 FALSE dumpasn1 will show such an encoding as 1 00 lt boolean gt lt requestattribute name caBool gt lt boolean gt 103 true Xtender User Guide integer Tag Tag name Enclosed content integer Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text must be a positive integer in the range 0 2147483647 The implementation does not support negative integers as they have no relevance for X 509 extensions Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt integer gt 12 lt integer gt Generated ASN 1 representation INTEGER 12 lt integer tag
68. olicy module to use for the request processing Select delegate policy module E x 22 true Xtender keyon User Guide Note that searching the available policy modules may take while The true Xtender policy module is never shown in the list as it is not a valid selection for the delegate policy module You can edit the configuration of the delegate policy module by clicking Properties I zx Request Handling The Windows default policy module controls how this CA should handle certificate requests by default Do the following when a certificate request is received e TAE EE EE 2e C Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate cmoa __ Consult the Microsoft documentation for details on the Microsoft policy configuration 23 true Xtender keyon User Guide License The License tab shows the true Xtender license along with possible restrictions keyon true Xtender Properties 24 true Xtender keyon User Guide About The About tab shows the true Xtender version and provides a button to open a web browser and open the keyon web site 25 true Xtender User Guide Template Configuration A specific template is configured by selecting the template in the Template Processing tab and clicking the Edit button or double clicking the template Certificate Template Info Allowed X 503 Extensions
69. on optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt bitstring gt 001 lt bitstring gt Generated ASN 1 representation BIT STRING 5 unused bits 100 B bit 2 lt bitstring gt tag 5 gt 001 lt bitstring gt Generated ASN 1 representation 1 100 B dumpasn1 will show such an encoding as lt bitstring gt lt requestattribute name keyusage gt lt bitstring gt 101 true Xtender User Guide octetstring Tag Tag name Enclosed content octetstring Onlytext or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text must only contain 0 9 and A F characters representing the binary data in hex format Bytes may be separated with whitespace or the character If the total number of characters is odd a 0 character is added for padding Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt octetstring gt 123456789abcdef lt octetstring gt Generated ASN 1 representation OCTET STRING 12 34 56 78 9A BC DE FO lt octetstring gt 12 34 56 78 9a bc de f0 lt octetstring gt Generated ASN 1 representation OCTET STRING 12 34 56 78 9A BC DE FO lt octetstring gt lt requestattribute name data gt lt octetstring gt 102 true Xtender User Guide bo
70. ote that there a two naming schemas in use The standard X 500 schema which uses countries or organizations as root elements and the DNS schema which uses domain components as the root elements 28 keyon true Xtender User Guide In a certificate the DN C CH O keyon CN www keyon ch is encoded in ASN 1 as follows SEQUENCE SET SEQUENCE OBJECT IDENTIFIER countryName 2 5 4 6 PrintableString CH SET SEQUENCE OBJECT IDENTIFIER organizationName 2 5 4 10 PrintableString keyon SET QUENCE OBJECT IDENTIFIER commonName 2 5 4 3 P rintableString www keyon ch DNs are usually printed in reverse order as the last element defines the interesting end entity Printing the RDNs in reverse order thus improves the readability Ch www keyon ch o keyon C CH In the certificate structure itself however the order should be hierarchical top down starting with the root node c ch and ending with the end entity node 29 true Xtender User Guide Adding a RDN element to the subject DN Add the RDN into the edit field under Enter a new RDN and click Insert to add it to the list Enter a new RDN and click Insert to add it to the list cn lt RequestRDN 2 5 4 3 1 gt Insert See below for the special syntax used to add request attribut
71. ouncdancuccdnduneanadcdenedeniiuundnunaeduuanneueuanntan 112 Using a custom extension definition to lookup data for the subject DN 113 Allowed X 509 EXtenSionS ressesssnnnnnnnnn n a R R 115 Adding well known extenSionS ssssssssssssssesesesssseseseseesesesesesseseseseeseseseseeseseseseeseseseses 116 Adding extensions OY OlD osisssvesisirisiiiiiisiiiiitisi siiis tastets sit Ea LRE TETEE 117 Removing extensions from the liSt sesesesessesesesessesessossesesesossesesesossesesesossesesesesseses 117 Event Log sissssrisisisnesensnnt usses eree seran iaiaaeaia eaae 118 Events IDS USed isiissiirisessisseei rererere esenee vrtec essare iuie vadepandiecuuensbemseynadunseonedekdnnnndexbiins 119 Reg lar expressions iz cacti vccasenvseenaGeariccatenceccsmsnvesnavciaacastaveqrierreccase neemsonccateereunenidanatine 120 SSVI sac aires vipa cosa E E T 120 5 0000 ge ees a acureee meen eect orien Breet iene ieee irae te Bree irene rete orate tree neers irae tear ere 120 Special charact rS ee ee ee ee ee ee ee eer 120 Non printable characters este tects sada ade cata cedacetecatacndacadecadaandavedacatiantacadacunhandacasneneanedaceles 120 Characters for pattern ex Pressionss cc Seco eee 121 Character SEIS x dezadscetaneaezanctesaoadacanaiedacededanetadatedtzatatedavedsdanazedtedizanedadbedstanitedatedicanetedatetice 121 Standard charactef SEtS viz cercscoceccercecleceiacatectiaentectcceerseecaetcertaimuess eetlamtanesetianteecsniee 121 Custom
72. ows Support Tools Internet Explorer A Outlook Express All Programs E Remote Assistance FA Loo of E Shut Doun Configure v BAvrvvy Hs OS The true Xtender configuration will be opened Standalone CA Enterprise CA x x Template Processing License About Template Processing License About Certificate Template Certificate Template Processed lt default Administrator No Root Certification Authority No CA Exchange No CEP Encryption No Trust List Signing No Authenticated Session No Code Signing No Cross Certification Authority No Directory Email Replication No Domain Controller No Domain Controller Authentication No Basic EFS No EFS Recovery Agent No Enrollment Agent No Exchange Enrollment Agent Offline request No Exchange User No Exchange Signature Only No IPSec Offline request No IPSec No Key Recovery Agent No Hee tar dii Ma i Add Edit Remove ma r You cannot configure the underlying Microsoft policy module when true Xtender is configured using the provided configuration application Configure true Xtender from within the Certificate Services management console if you want to configure the underlying Microsoft policy module 16 true Xtender keyon User Guide Configure within Certificate Services Management Start the Certificate Services Management console by selecting Start Administrative Tools Certificate Authority Administrator
73. quest DN are passed to the enclosed tags If not defined or false RDNs are processed in the order they appear in the request DN Make sure that the name of the temporary variable specified with define is unique and does not overwrite any other existing variable 63 true Xtender User Guide Samples Samples lt foreachrequestrdn oid 2 5 4 3 define myCN gt lt ifnot name myCN match keyon test matchoptions IGNORECASE gt lt exception gt CommonName lt insert name myCN gt doesn t end in keyon test lt exception gt lt ifnot gt lt foreachrequestrdn gt This construct would ensure that all CommonName entries in the request DN contain a fully qualified DN ending in keyon test 64 true Xtender User Guide foreachsubjectrdn Tag Tag name Enclosed content foreachsubjectrdn Only enclosed tags are allowed For each RDN matching the given OID in the subject DN a temporary variable with the RDN content is defined and the enclosed tags are evaluated The subject DN may be different from the request DN if the subject DN building of true Xtender is used The subject DN is the DN that will be included in the certificate and may differ from the request DN Parameters Tag parameter Presence Description oid mandatory The OID identifying the RDN elements to enumerate If no RDN with the given OID is present the enclosed tags are not evaluated See
74. r If the total number of characters is odd a 0 character is added for padding You must ensure that the raw data given represents a valid ASN 1 construct using DER encoding rules If the data given is not a valid DER encoded ASN 1 data the resulting X 509 extension will be corrupt and may cause applications that parse the extensions to crash Parameters Tag parameter Presence Description Samples Samples lt raw gt 311C301A811149424D5F484F53545F504C4154464F524D82057573657231 lt raw gt Generated ASN 1 representation SET SEQUENCE 1 IBM HOST PLATFORM 2 userl 110 true Xtender keyon User Guide Unsupported ASN 1 Types The following ASN 1 types are not supported since they are not used in X 509 certificate extensions RELATIVE OID REAL VideotexString GraphicString ObjectDescriptor Using a custom extension definition to enforce subject name requirements You can define a custom extension that is always empty and will never be included in the certificate for the sole purpose of ensuring that parts of subject name meet specific requirements As the if and ifnot logic tags allow to specify regular expressions one can easily implement blacklist or whitelist patterns to enforce e g well formed subject names or specific domain names Sample The following configuration will never add an extension as no ASN 1 tags are present and onempty
75. r a given extension The following list shows the current OID for some common extensions with multiple OIDs available Extension Current OID The selected extension is automatically inserted into the edit field after the selection Enter or select an OID and click Add to add it to the list ption lt Unknown gt 1 2 3 4 5 6 1 2 3 4 5 6 Basic Constraints 2 5 29 19 Key Usage 29 24 15 116 true Xtender keyon User Guide Adding extensions by OID Simply enter the OID of the extension under Enter or select an OID and click Add to add it to the list Enter or select an OID and click Add to add it to the list 1 2 3 4 5 6 x Add After clicking Add the extension with the entered OID is added to the list If the OID is not known to Microsoft Windows the description of this OID will be lt Unknown gt OID p lt Unknown gt 1 2 3 4 5 6 1 2 3 4 5 6 Basic Constraints 252919 Key Usage 25 29 15 Removing extensions from the list Simply select the extension in the list and click the Remove button to remove an extension from the list 117 keyon Event Log true Xtender User Guide The keyon true Xtender logs all events in the Windows Application Event Log E Event View Viewer ga Event Viewer Local it Application 19 01 2007 19 01 2007 19 01 2007 19 01 2007 reece 11707 Administrator KEYON YO LoadPerf 1000 NJA KEYON YO LoadPerf 1001 NJA KEYON YO LoadPerf 1000 NJA
76. re permitted No enclosed ASN 1 tags are allowed The expanded text will be assigned to the variable Heading and trailing whitespace is removed If a regular expression with a capture group is specified in the match parameter only the matching part of the expanded text will be assigned to the variable Parameters Tag parameter Presence Description name The variable to define match optional The match parameter can be used to specify a regular expression with a capture group i e an expression placed in brackets to extract a part of the expanded text If no capture group is specified in the regular expression the contents will always evaluate to an empty string matchoptions Joptional Comma separated modification options for the regular expression evaluation The most useful option is IGNORECASE which will force a case insensitive match of the pattern This parameter is only used when match is given If you use regular expressions to extract a part of the content make sure that the regular expression is designed correctly You can use the regular expression test utility that ships with true Xtender to check the results of your regular expression with different input See section Regular expressions for details about regular expressions 47 true Xtender User Guide Samples Samples name ShalwithRSAEncryption gt 1 2 840 113549 1 1 5 lt define gt name upn gt lt Regque
77. ries The following elements are used to specify a condition for a position in the string Condition Description Current position must be the beginning of text Current position must be the end of text Current position must be a word boundary Notes If the match mode is MULTILINE will match line begin and can match line end If b is added to a character set it will stand for the backspace character ASCII 8 Alternative expressions Use to match any one of multiple alternative expressions The engine will try alternative expressions from left to right Grouping Use brackets to enclose sub expressions into a single element Sub expressions in it will be a whole part when it is quantified The first captured group can be retrieved using the define tag 124 true Xtender User Guide Options The following options can be specified to change the behavior of the Option Description IGNORECASE By default regular expression is case sensitive Apply this mode to match case insensitively But character sets are always case sensitive NE By default the dot can match any character except newline n SINGLELINE mode will let the dot to match any character Change and from matching the start or end of the string to matching the start or end of any line anywhere within the string SINGLELINE and MULTILINE only sound mutually exclusive
78. ring tag will encode the contents as an ASN 1 IA5String In this case the fixed text SAMPLE_HOST_NAME is encoded As the ia5string tag has the tag parameter set the result will be implicitly tagged with value 1 as requested by the extension specification Not that leading and trailing whitespace for text content is stripped Content transformation tag lt tolower gt lt tolower gt The tolower tag will lowercase the enclosed text This ensures that even if the hostid was specified mixed case in the request attribute we will always include a lowercase hostid in the extension Variable inclusion lt insert name hoestid gt The include tag inserts the content of the named variable 44 true Xtender User Guide Root Tag extension Tag Tag name Enclosed content extension Any number of logic and definition tags but at most one ASN 1 Tag is allowed The extension tag must be the root tag in the custom certificate extension file and it cannot be nested Parameters Tag parameter Presence Description mandatory The OID of the custom extension Display name of the custom extension critical optional If true the extension will be marked critical If parameter is not included or setto false the extension will be non critical includeempty optional If set to true the extension will be included even if it deprecated does not have any contents If parameter is not present or set to false the exte
79. s Eert 14 Creating a backup of the current true Xtender CONFI ZUratiON ce seeseseeseeseeeeees 14 Restoring a true Xtender configuration from a backup sssesssssessessesesseesesessessesee 15 LHe ni 1 0 19108 NPE Ree er PP Te PT eee en PPE reer ere err ore ere een ere A 16 Using true Xtender configuration application eesssessesesseseseeseeseseessrsersessesessessesee 16 Configure within Certificate Services Management cescsecseeseesesesessscseseeeeeeees 17 Template PROCESSING saiccasiascranccusdesmisearctisnecannieeeiederei estar eid mean eeskiri E sos 19 BET TIO as lect E E E a ES e EA EEE 19 Standalone a hs ee ee 20 Managing standalone templates sisssisiassducssasasriasansivansannasdnssrassauvasaseavnsnnssirabansvaantnstnans 20 The default template seseeessesesesesessesesesossesesesossesesesossesesesossesesesosoesesesossesesesosseseses 20 Adding customi templates icsvsicssiwsnieshaisiaaiesaivngustesaedastepanannsnvanansendanasacadanaraensisnsianvovnse 21 Removing custom templates assiese sse ere ra a ies 21 Specifying the template to use for a request with a Standalone CA seess 21 NEW REQUESTS anan E A N N a 21 Pending REGUWSSUS ccavedeceivseteestasstecntyasbseantsanlceadernlessdeenleseievsieeninectemigeatesisninelstontens 22 Delegate Policy Configuration ssesssssessessssessessssesseesessessesessesseseeseuseueessnsessessesessesseeee 22 Aea E E E E E 24 aN eLO LE I AEE E E E EL E EE E E 25
80. s a string or a hex string representing the raw ASN 1 DER encoding if the value is not a string rfc822Name 1 rfc822Name entry as a string directoryName 4 Hex String directoryName as a hex string representing the ASN 1 DER encoded Name C 2 Se uniformResourceldentifier entry as a string ere OID String registered D entry as an OID string 81 true Xtender User Guide Samples Samples lt utf8string gt lt subjectaltname type otherName 1 3 6 1 4 1 311 20 2 3 lt utf8string gt 82 true Xtender User Guide timenow Tag Tag name Enclosed content timenow Text or tags that insert text which form a date format No enclosed ASN 1 tags are allowed The current time is formatted according to the enclosed format If the tag is enclosed in an ASN 1 utctime or generalizedtime tag the correct date format string for the ASN 1 date is inserted Format string elements Placeholder Description C Day of month as decimal number 01 31 Day of year as decimal number 001 366 Week of year as decimal number with Sunday as first day of week 0 53 Weekday as decimal number 0 6 Sunday is 0 Week of year as decimal number with Monday as first day of week 0 53 83 se g oy a oO Q a 5j Bi g Gi gt H an true Xtender User Guide Placeholder Description Date representation for current locale Time representation for
81. s order HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services CertSvec Configuration CA Name gt SubjectTemplate 34 true Xtender User Guide Samples The following samples show how a request DN is altered depending on the configuration Keep request DN Challenge The original DN from the request should be used for the issued certificate Request DN cn John Doe cn Users dc keyon dc ch Request attributes Ordered RDN Components Resulting Subject DN cn John Doe cn Users dc keyon dc ch Using original request RDN element Challenge The first CN element from the request DN must be used and the rest of the DN must be hard coded Request DN cn John Doe cn Users dc keyon dc ch Request attributes 35 true Xtender User Guide Request attributes c CH o keyon ou Engineering cn lt RequestRDN 2 5 4 3 gt Resulting Subject DN cn John Doe ou Engineering o keyon o CH Use request attributes Challenge The CN and the Email elements in the subject DN must be taken from request attributes and the rest of the DN must be hard coded Request DN cn John Doe cn Users dc keyon dc ch Request attributes mycn Jane Sample myemail jane sample keyon ch Ordered RDN Components dc ch dc keyon cn lt RequestAttribute mycn gt mail lt RequestAttribute myemail gt Resulting Subject DN email jane sample keyon ch cn
82. stAttribute name upn gt lt define gt Regular expression sample Samples lt define name host match keyon ch S matchoptions IGNORECASE gt lt insert name cn gt lt define gt Ifthe variable cn contains host1 keyon ch the value host1 would be assigned to the variable host as the expression matches Note the capture group in the expression above If the variable cn contains host1 keyon com an empty string would be assigned to the variable host as the expression does not match 48 true Xtender User Guide undefine Tag Tag name Enclosed content undefine Text is ignored No enclosed ASN 1 tags are allowed After this tag is processed the variable is no longer defined Parameters Tag parameter Presence Description The variable to undefine Samples Samples lt undefine name upn gt 49 true Xtender User Guide insert Tag Tag name Enclosed content Text is ignored No enclosed ASN 1 tags are allowed Parameters Tag parameter Presence Description name mandatory The variable content to insert If the variable is not defined nothing will be inserted Samples Samples lt ia5string gt lt insert name shalwithRSAEncryption gt lt ia5string gt If the variable name is not the reserved name of a XML tag you can also insert the variable contents using the variable name as an XML tag lt shalwithRSAEncr
83. t lt if gt lt sequence gt lt if name upn match administrator matchoptions IGNORECASE gt lt exception gt Invalid UPN lt insert name upn gt lt exception gt lt if gt This construct would prevent the use of a UPN for the user Administrator 53 true Xtender User Guide ifnot Tag Tag name Enclosed content ifnot Only enclosed tags are allowed The enclosed tags will be added to the custom extension if the specified variable does not exist is empty or optionally does not have a specific value Parameters Tag parameter Presence Description The variable to check value optional If given the variable content is checked against the value parameter Only if the variable content does not match the given value the enclosed tags are added If this parameter is not given the enclosed tags are only added if the variable is not defined or does not contain any text match optional The match parameter can be used instead of the value parameter to specify a regular expression instead of a fixed value The enclosed tags are only added if the variable contents do not match the regular expression exactly This parameter is only used when value is not given matchoptions Joptional Comma separated modification options for the regular expression evaluation The most useful option is IGNORECASE which will force a case insensitive match of the pattern This parameter is only used when match
84. t empty and optionally has a specific value or matches a regular expression Parameters Tag parameter Presence Description The variable to check value optional If given the variable content is checked against the value parameter Only if the variable content matches the given value the enclosed tags are added If this parameter is not given the enclosed tags are added if the variable is defined and not empty match optional The match parameter can be used instead of the value parameter to specify a regular expression instead of a fixed value The enclosed tags are only added if the variable contents match the regular expression exactly This parameter is only used when value is not given matchoptions Joptional Comma separated modification options for the regular expression evaluation The most useful option is IGNORECASE which will force a case insensitive match of the pattern This parameter is only used when match is given If you use regular expressions make sure that the regular expression is designed correctly See section Regular expressions for details about regular expressions 52 true Xtender User Guide Samples Samples lt if name email gt lt sequence gt lt ia5string gt lt insert name email gt lt ia5string gt lt sequence gt lt if gt lt sequence gt lt if name includeEmail value true gt lt ia5string gt lt insert name email gt lt ia5string g
85. tax Defaults to LDAP domain where domain is the Active Directory Domain where the Certificates Services Server is a member of username optional The user name to use for authentication against the Active Directory If not specified the credentials of the certificates services process are used for authentication The username is only required if the Certificates Services server is not part of the Active Directory domain to query password optional The password to use for authentication against the Active Directory See username for details secureauthentication optional Ifan authentication with username password is used specifies if only a secure authentication mechanism is used true default or not false AD LDS and other LDAP servers may require this option to be set to false for authentication to work 86 Tag parameter Presence a resultmaxcount optional attributerow optional attributeorder optional attributemaxcount optional attribute mandatory true Xtender User Guide Description The search scope May be base onelevel or subtree default If you do not specify subtree as the search scope you must specify an object path in the binding attribute The index of the result row to use The first row uses index 1 Defaults to 1 The maximum result rows the query may return to succeed If only a single row is expected normal case 1 must be specified so that an exception is t
86. tent must not be present in the tokenized content of name ignorecase optional Defines if the lookup in the tokenized list is performed case insensitive true or if an exact match is required false If not defined a case insensitive match is used true 58 true Xtender User Guide Samples Samples lt define name validDomains gt keyon ch keyoff ch lt define gt lt define name domain gt lt requestattribute name domain gt lt define gt lt ifnotcontains name validDomains element domain gt lt exception gt Domain specified not owned by keyon AG lt exception gt lt ifnotcontains gt This construct would ensure that the request attribute domain is contained in the list of valid domains i e is either keyon ch or keyoff ch 59 true Xtender User Guide exception Tag Tag name Enclosed content exception Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed If a text is given the text is used as the exception message Note that the creation of the exception is aborted when an exception tag is encountered exception tags are therefore used within if or ifnot tags You can use the exception tag to prevent the issuance of a certificate if required data e g specific request attribute set is missing Together with the possibility of preventing empty extensions to be included this mechanism can also be used to ensure that all required attrib
87. tion if the extension does not have any content Every custom extension must have an extension tag as the root tag Each custom extension XML file can have only one extension tag 42 true Xtender keyon User Guide Variable definition lt define name hostid gt lt define gt The define tag allows to define variables for use e g in logic tags The define tag assigns the enclosed content to the named variable in this case hostid Request attribute access lt requestattribute name hostid gt The requestattribute tag inserts the content of the named request attribute as text If the request attribute is not set an empty string is inserted Logic tag lt if name hostid gt lt iis The if tag adds the included content only if the condition is matched In this case the enclosed content is added only if the variable hostia is not empty If the hosted variable is empty i e the request attribute hostid is not set nothing will be added and we have an empty extension Since the extension tag requests that empty extensions are not added the keyon true Xtender will add the extension only if the request attribute hostid is set ASN 1 SEQUENCE tag lt sequence gt lt sequence gt The sequence tag will generate an ASN 1 sequence containing the enclosed ASN 1 objects 43 true Xtender keyon User Guide ASN 1 IA5String tag lt ia5Sstring tag 1 gt SAMPLE HOST NAME lt ia5string gt The ia5st
88. using Active Directories Services Search filters Please consult RFC2254 and ADS 2 for details on the LDAP search filter syntax The string representation of an LDAP search filter is defined by the following grammar The filter format uses a prefix notation filter filtercomp filtercomp and or not item and 6 filterlist or filterlist not I filter filterlist 1 filter item simple present substring extensible simple attr filtertype value filtertype equal approx greater less equal approx eS greater SS less hee xtensibl attr dn matchingrule value dn matchingrule value present attr gt substring attr initial any final initial value any x x yalue final value attr AttributeDescription matchingrule MatchingRuleld value AttributeValue A substring x in the search filter where x is a text string is replaced by the contents of the variable or placeholder x Variables inserted into the search filter are quoted appropriately The operator in a search filter string however must be inserted as amp amp due to XML requirements You can use the memberOf attribute in a search filter to check if a user is member of specific group memberOf CN Administrators CN Builtin DE keyon DC ch If the user is not a member of the Administrators group no value for an attribute e g d
89. utes or RDN elements for the subject DN building are present See Using a custom extension definition to enforce subject name requirements for an example of how to implement such an extension Parameters Tag parameter Presence Description Samples Samples lt ifnot name email gt lt exception gt Email address is not defined lt exception gt lt ifnot gt 60 true Xtender User Guide Loop Tags foreach Tag Tag name Enclosed content foreach Only enclosed tags are allowed The content of the specified variable is tokenized at the given delimiters and for each token found a temporary variable with the token content is defined and the enclosed tags are evaluated Parameters Tag parameter Presence Description name mandatory The variable content to tokenize If the variable is not defined the enclosed tags are not evaluated delimiters mandatory The delimiters to use when tokenizing the variable content Multiple delimiters including the space character can be specified define andatory The name of the temporary variable to define with the token content Heading and trailing whitespace of the token content is removed This variable is only available to the enclosed tags reverse optional If true reverses the order in which the tokens found after tokenization are passed to the enclosed tags If not defined or false tokens are processed in the order they appear after tokenization
90. w to learn how to specify a certificate template when using a standalone CA type G You cannot delete the default template 20 true Xtender keyon User Guide Adding custom templates On the Template Processing tab click the Add button Enter the name of the new template in the popup dialog that is shown Add Template for Standalone CA Template Name keyor After clicking ok the new template will be added to the templates list Certificate Template Processed default No keyon No Template names are case sensitive However you cannot add two templates which differ only by case You should not use the space character or any other special character in the template name Removing custom templates On the Template Processing tab select the template you d like to remove and click the Remove button Specifying the template to use for a request with a Standalone CA You can set the certificate template to use with a standalone CA either when you create the request or when the request is pending New Requests If new requests are created with the cert req utility you can set the template to use by adding the following lines to the policy INI file RequestAttributes CertificateTemplate keyon If you set the certificate template in the request attribute as described above Certificate Services will include an X 509 extension with the certificate template name and extension OID 1 3 6 1 4 1 311 20 2 You can
91. with the same OID are present If element is not given the first RDN with the given OID is used Elements taken from the original request containing characters are automatically expanded i e each character is replaced with You must make sure to quote the whole RDN value to support original request values containing special characters e g CN lt RequestRDN 2 5 4 3 gt Samples Consider the following original request DN cn John Doe cn Users dc keyon dc ch The contents of the RDN elements can be retrieved as follows lt RequestRDN 2 5 4 3 gt John Doe lt RequestRDN 2 5 4 3 1 gt gt John Doe lt RequestRDN 2 5 4 3 2 gt gt Users lt RequestRDN 0 9 2342 19200300 100 1 25 gt gt keyon lt RequestRDN 0 9 2342 19200300 100 1 25 1 gt keyon lt RequestRDN 0 9 2342 19200300 100 1 25 2 gt ch 32 true Xtender User Guide OIDs of common RDN elements Long name Short name OID CommonName Country DeviceSerialNumber DomainComponent Email GivenName Initials Locality Organization OrganizationalUnit State StreetAddress SurName Title RDN OID Lookup Utility The Subject DN Building page features a simple RDN OID lookup utility in the lower left corner To select an RDN click on the drop list button 2 RDN OID Lookup C 2 5 4 6 CN 2 5 4 3 DC 0 9 2342 1920089 0 10 Description 2 5 4 13 E 1 2 840 113549 1 9 1 eee
92. x Select Installation Folder Welcome to keyon This is the folder where keyon true Xtender will be installed true Xtender Setup Wizard The Setup Wizard will install keyon true xtender on your computer Click Next to continue or Cancel to exit the Setup Wizard To install in this Folder click Next To install to a different folder enter it below or click Browse Folder C Program Files trueXxtender Browse Advanced Installer ig keyon true Xtender Setup x 3 ig keyon true Xtender Setup zi 4 Ready to Install The Setup Wizard is ready to begin the Typical installation Completing the keyon true Xtender Setup Wizard Click Install to begin the installation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Click the Finish button to exit the Setup Wizard Launch keyon true xtender Advanced Installer You can use Add or Remove Programs in the Windows control panel to repair or remove the keyon true Xtender installation 10 true Xtender keyon User Guide After successfully installing the keyon true Xtender a new entry in the start menu is created under Start All Programs true Xtender Administrator You are now ready to configure Microsoft Certificate Service the use the keyon true Xtender as the policy module to use Configure Certificate Services for keyo
93. x X More than one certificate authority configured Unable to continue This problem occurs if Certificate Services was only partially installed e g because the creation of the CA was aborted If Certificate Services is removed and added again but using a different CA name the reminders of the first CA causes the problem The registry shows two CA entries or even more in this case 01x File Edit View Favorites Help QJ Cdrom a Name Type Data CertSve ab Default REG_SZ value not set Configuration Ri SetupStatus REG_DWORD 0x00000000 0 H E Demo Standalone Root gem potandalone Root CA Enum Security Changer My Computer HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services CertSvc Configuration Standalone Root CA Resolution Use the registry editor regedit exe to delete the registry key of the previous CA under HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services CertSvc Configuration 127 keyon true Xtender User Guide Reference Tools The following tools can be used to dump and examine X 509 certificates to verify the correct implementation of the certificate customizations dumpasn1 GUIdumpASN openssl Literature The following RFC3280 ASN 1 ASN 2 ASN 1 dump utility http www cs auckland ac nz pgut001 GUI version of the ASN 1 dump utility http www geminisecurity com guidumpasn html
94. xstring Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text will be considered Base64 encoded binary data and the decoded binary data is returned as a hex String e g for use in the octetstring or raw tag Parameters Tag parameter Presence Description O An exception is thrown if the expanded text is not valid Base64 encoded data Samples Samples lt explicit tag 0 gt lt raw gt lt base64tohexstring gt lt requestattribute name asnlelement gt lt base64tohexstring gt lt raw gt lt explicit gt Would insert an explicit tagged ASN 1 element which is provided in Base64 encoded form in the request attribute asnlelement 97 true Xtender User Guide ASN 1 Basic Types objectid Tag Tag name Enclosed content objectid Only text or tags that insert text are permitted No enclosed ASN 1 tags are allowed The expanded text must be a valid OID Parameters Tag parameter Presence Description optional If defined the ASN 1 object is implicitly tagged with the given context specific tag Samples Samples lt objectid gt 1 2 840 113549 1 1 5 lt objectid gt Generated ASN 1 representation OBJECT IDENTIFIER 1 2 840 113549 1 1 5 lt objectid tag 5 gt 20 lt objectid gt Generated ASN 1 representation 5 1 2 840 113549 1 1 5 dumpasn1 will show such an encoding as 5 2A 86 48 86 F7 OD 01 01 05 lt object
95. yption gt However the use of insert is preferred as it makes clear that a variable is inserted 50 true Xtender User Guide inserttoken Tag Tag name Enclosed content inserttoken Text is ignored No enclosed ASN 1 tags are allowed The specified variable is tokenized at the given delimiters and the token with the given index is inserted Heading and trailing whitespace of the token is removed Parameters Tag parameter Presence Description name mandatory The variable content to tokenize If the variable is not defined nothing will be inserted delimiters mandatory The delimiters to use when tokenizing the variable content Multiple delimiters including the space character can be specified The index of the token to insert Samples Samples lt ia5string gt lt inserttoken name dnsNames delimiters index 2 gt lt ia5string gt If the variable dnsNames contains the string hostl keyon ch host2 keyon ch host3 keyon ch the text host2 keyon ch would be inserted by the statement above Note that empty tokens are skipped i e if e g is specified as the delimiter the string one two three is tokenized into three tokens only one at index 1 two at index 2 and three at index 3 51 true Xtender User Guide Logic Tags Enclosed content Only enclosed tags are allowed The enclosed tags will be added to the custom extension if the specified variable exists is no
Download Pdf Manuals
Related Search