Class: AWSCDK::PCAConnectorAD::CfnTemplate::EnrollmentFlagsV2Property

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
pca_connector_ad/cfn_template.rb

Overview

Template configurations for v2 template schema.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(enable_key_reuse_on_nt_token_keyset_storage_full: nil, include_symmetric_algorithms: nil, no_security_extension: nil, remove_invalid_certificate_from_personal_store: nil, user_interaction_required: nil) ⇒ EnrollmentFlagsV2Property

Returns a new instance of EnrollmentFlagsV2Property.

Parameters:

  • enable_key_reuse_on_nt_token_keyset_storage_full (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Allow renewal using the same key.

  • include_symmetric_algorithms (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Include symmetric algorithms allowed by the subject.

  • no_security_extension (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.

  • remove_invalid_certificate_from_personal_store (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Delete expired or revoked certificates instead of archiving them.

  • user_interaction_required (Boolean, AWSCDK::IResolvable, nil) (defaults to: nil)

    Require user interaction when the subject is enrolled and the private key associated with the certificate is used.



708
709
710
711
712
713
714
715
716
717
718
719
# File 'pca_connector_ad/cfn_template.rb', line 708

def initialize(enable_key_reuse_on_nt_token_keyset_storage_full: nil, include_symmetric_algorithms: nil, no_security_extension: nil, remove_invalid_certificate_from_personal_store: nil, user_interaction_required: nil)
  @enable_key_reuse_on_nt_token_keyset_storage_full = enable_key_reuse_on_nt_token_keyset_storage_full
  Jsii::Type.check_type(@enable_key_reuse_on_nt_token_keyset_storage_full, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "enableKeyReuseOnNtTokenKeysetStorageFull") unless @enable_key_reuse_on_nt_token_keyset_storage_full.nil?
  @include_symmetric_algorithms = include_symmetric_algorithms
  Jsii::Type.check_type(@include_symmetric_algorithms, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "includeSymmetricAlgorithms") unless @include_symmetric_algorithms.nil?
  @no_security_extension = no_security_extension
  Jsii::Type.check_type(@no_security_extension, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "noSecurityExtension") unless @no_security_extension.nil?
  @remove_invalid_certificate_from_personal_store = remove_invalid_certificate_from_personal_store
  Jsii::Type.check_type(@remove_invalid_certificate_from_personal_store, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "removeInvalidCertificateFromPersonalStore") unless @remove_invalid_certificate_from_personal_store.nil?
  @user_interaction_required = user_interaction_required
  Jsii::Type.check_type(@user_interaction_required, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "userInteractionRequired") unless @user_interaction_required.nil?
end

Instance Attribute Details

#enable_key_reuse_on_nt_token_keyset_storage_fullBoolean, ... (readonly)

Allow renewal using the same key.



725
726
727
# File 'pca_connector_ad/cfn_template.rb', line 725

def enable_key_reuse_on_nt_token_keyset_storage_full
  @enable_key_reuse_on_nt_token_keyset_storage_full
end

#include_symmetric_algorithmsBoolean, ... (readonly)

Include symmetric algorithms allowed by the subject.



730
731
732
# File 'pca_connector_ad/cfn_template.rb', line 730

def include_symmetric_algorithms
  @include_symmetric_algorithms
end

#no_security_extensionBoolean, ... (readonly)

This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.



735
736
737
# File 'pca_connector_ad/cfn_template.rb', line 735

def no_security_extension
  @no_security_extension
end

#remove_invalid_certificate_from_personal_storeBoolean, ... (readonly)

Delete expired or revoked certificates instead of archiving them.



740
741
742
# File 'pca_connector_ad/cfn_template.rb', line 740

def remove_invalid_certificate_from_personal_store
  @remove_invalid_certificate_from_personal_store
end

#user_interaction_requiredBoolean, ... (readonly)

Require user interaction when the subject is enrolled and the private key associated with the certificate is used.



745
746
747
# File 'pca_connector_ad/cfn_template.rb', line 745

def user_interaction_required
  @user_interaction_required
end

Class Method Details

.jsii_propertiesObject



747
748
749
750
751
752
753
754
755
# File 'pca_connector_ad/cfn_template.rb', line 747

def self.jsii_properties
  {
    :enable_key_reuse_on_nt_token_keyset_storage_full => "enableKeyReuseOnNtTokenKeysetStorageFull",
    :include_symmetric_algorithms => "includeSymmetricAlgorithms",
    :no_security_extension => "noSecurityExtension",
    :remove_invalid_certificate_from_personal_store => "removeInvalidCertificateFromPersonalStore",
    :user_interaction_required => "userInteractionRequired",
  }
end

Instance Method Details

#to_jsiiObject



757
758
759
760
761
762
763
764
765
766
767
# File 'pca_connector_ad/cfn_template.rb', line 757

def to_jsii
  result = {}
  result.merge!({
    "enableKeyReuseOnNtTokenKeysetStorageFull" => @enable_key_reuse_on_nt_token_keyset_storage_full,
    "includeSymmetricAlgorithms" => @include_symmetric_algorithms,
    "noSecurityExtension" => @no_security_extension,
    "removeInvalidCertificateFromPersonalStore" => @remove_invalid_certificate_from_personal_store,
    "userInteractionRequired" => @user_interaction_required,
  })
  result.compact
end