CAName
CAName is the "CN" portion of the CA's formal X.500 name, with the name encoded in URL syntax.
Valid for AIA
Valid for CDP
|
First Certificate If the Certificate Authority is called "Company Root CA",
then the value of the CAName variable is "Company%20Root%20CA".
Next Certificate (same key) Same as the first certificate.
Next Certificate (new key) Same as the first certificate.
Full CRL Same as the first certificate.
Delta CRL Same as the first certificate.
|
Mixed Recommendation
Use in AIA
Maybe. Not
recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved"
characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_)
and tilde (~)).
Use in CDP
Maybe. Not
recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved"
characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_)
and tilde (~)).
|
CAObjectClass CAObjectClass is the LDAP object type and descriptive class name for certificate objects, used only
in LDAP URLs as the final part of the URL so that the directory service creates the correct object
type.
Valid for AIA
Valid for CDP
|
First Certificate The invariant string
"cACertificate?base?objectClass=certificationAuthority".
Next Certificate (same key) Same as the first certificate
Next Certificate (new key) Same as the first certificate
Full CRL(same key) N/A - not available for CRL paths.
Delta CRL N/A - not available for CRL paths.
|
Mixed Recommendation
Use in AIA
Maybe.
Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify
internal path names and locations, so may not resolve outside corporate network.
Use in CDP
No. Invalid
for HTTP and File URLs, due to question marks, and specifies incorrect path and object type for LDAP
URLs.
|
CATruncatedName CATruncatedName is the "CN" portion of the CA's formal X.500 name, without special encoding.
Valid for AIA
Valid for CDP
|
First Certificate If the Certificate Authority is
called "Company Root CA", then the value of the CAName variable
is "Company Root CA".
Next Certificate (same key) Same as the first certificate
Next Certificate (new key) Same as the first certificate
Full CRL(same key) Same as the first certificate
Delta CRL Same as the first certificate
|
Mixed Recommendation
Use in AIA
Maybe.
Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations
of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs.
Use in CDP
Maybe.
Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations
of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs.
|
CDPObjectClass CDPObjectClass is the LDAP object type and descriptive class name for CRL objects, used only in LDAP
URLs as the final part of the URL so that the directory creates the correct object type.
Valid for AIA
Valid for CDP
|
First Certificate N/A - not available for AIA paths.
Next Certificate (same key) N/A - not available for AIA paths.
Next Certificate (new key) N/A - not available for AIA paths.
Full CRL(same key) The invariant
string, "certificateRevocationList?base?objectClass=cRLDistributionPoint".
Delta CRL Same as the full CRL.
|
Mixed Recommendation
Use in AIA
No. Variable
is not available for use in AIApaths.
Use in CDP
Maybe.
Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify
internal path names and locations, so may not resolve outside corporate network.
|
CertificateName CertificateName is the identification number ("generational" ID) of the certificate, rounded down to
the lowest numbered certificate sharing the same keypair. Review the table below for more
information.
Valid for AIA
Valid for CDP
|
First Certificate The value is blank (NULL). When added to the AIA path for the
first certificate (generation #0) it will appear to do nothing.
Next Certificate (same key) Same as the previous generation certificate. If the
first generation certificate (#0) is renewed with the same key then like the first certificate,
CertificateName will be blank. See also the next item.
Next Certificate (new key) The certificate number, enclosed in a single pair of
round brackets. If this is certificate #2, then CertificateName will be "(2)". If this certificate
is then renewed with the same key (#3), the next certificate's CertificateName value will still be
"(2)".
Full CRL(same key) Same as the matching certificate. Note that due to the way
CRLs are created, there will be multiple valid CRLs for different certificate generations (while the
certificate remains valid).
Delta CRL Same as the parent full CRL.
|
Generally Recommended
Use in AIA
Yes.
CertificateName should ALWAYS be included in AIA paths (though technically nothing will break until
you renew the root certificate with a new key).
Use in CDP
Maybe. It
would be a definite yes were it not for the CRLNameSuffix variable, which is identical in practice.
Use at least one of them (but you only need one).
|
ConfigurationContainer ConfigurationContainer is the OU path to the Active Directory domain's Configuration partition.
Valid for AIA
Valid for CDP
|
First Certificate If your Active Directory domain DNS name is
"ad.mycompany.lan", the ConfigurationContainer value is
"CN=Configuration,DC=ad,DC=mycompany,DC=lan".
Next Certificate (same key) Same as the first certificate.
Next Certificate (new key) Same as the first certificate.
Full CRL(same key) Same as the first certificate.
Delta CRL Same as the first certificate.
|
Mixed Recommendation
Use in AIA
Maybe.
Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs
may specify internal path names and locations, so may not resolve outside corporate network.
Use in CDP
Maybe.
Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs
may specify internal path names and locations, so may not resolve outside corporate network.
|
CRLNameSuffix CRLNameSuffix is the identification number ("generational" ID) of the certificate that matches
(signs) the CRL, rounded down to the lowest numbered certificate sharing the same keypair. Review
the table below for more information.
Valid for AIA
Valid for CDP
|
First Certificate N/A - not available for AIA paths.
Next Certificate (same key) N/A - not available for AIA paths.
Next Certificate (new key) N/A - not available for AIA paths.
Full CRL(same key) Same as the matching certificate. You should review the
rules for the CertificateName variable.
Delta CRL Same as the parent CRL.
|
Required for CDP
Use in AIA
No. Variable
is not available for Use in AIA paths.
Use in CDP
Yes. Required
to properly identify CRLs, if CertificateName is not present in the URL. See also the rules for
CertificateName.
|
DeltaCRLAllowed DeltaCRLAllowed is a tag that distinguishes a full CRL from a delta CRL.
Valid for AIA
Valid for CDP
|
First Certificate N/A - not available for AIA paths.
Next Certificate (same key) N/A - not available for AIA paths.
Next Certificate (new key) N/A - not available for AIA paths.
Full CRL(same key) The value is Empty (NULL). Full CRLs have no tag indicating
they are a full CRL.
Delta CRL A single plus sign "+".
|
Required for CDP
Use in AIA
No. Variable
is not available for Use in AIA paths.
Use in CDP
Yes. Required
to properly identify CRLs, if Delta CRLs are in use.
|
ServerDNSName ServerDNSName is the fully-qualified internal server name (the combination of NetBIOS computer name
and primary DNS suffix) of the server.
Valid for AIA
Valid for CDP
|
First Certificate If the computer name is "NetBIOS" and the Active Directory
DNS domain name is "ad.mycompany.lan", then ServerDNSName is "NetBIOS.ad.mycompany.lan".
Next Certificate (same key) Same as the first certificate.
Next Certificate (new key) Same as the first certificate.
Full CRL(same key) Same as the first certificate.
Delta CRL Same as the first certificate.
|
Mixed Recommendation
Use in AIA
Maybe.
Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate
network.
Use in CDP
Maybe.
Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate
network.
|
ServerShortName ServerShortName is the NetBIOS computer name of the server.
Valid for AIA
Valid for CDP
|
First Certificate If the computer name is "NetBIOS" then ServerShortName is
"NetBIOS".
Next Certificate (same key) Same as the first certificate.
Next Certificate (new key) Same as the first certificate.
Full CRL(same key) Same as the first certificate.
Delta CRL Same as the first certificate.
|
Mixed Recommendation
Use in AIA
Maybe.
Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate
network.
Use in CDP
Maybe.
Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate
network.
|