deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixed list formatting

Browse Source
This commit is contained in:
Justinha
2017-03-21 10:25:11 -07:00
parent 16afa640ee
commit 3cc99fcc3d
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/keep-secure/enterprise-certificate-pinning.md
View File

@ -73,6 +73,7 @@ The PinRules element can have the following attributes.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml).
- **Duration** or **NextUpdate** - **Duration** or **NextUpdate**
Specifies when the Pin Rules will expire. Specifies when the Pin Rules will expire.
Either is required. Either is required.
**NextUpdate** takes precedence if both are specified. **NextUpdate** takes precedence if both are specified.
@ -83,6 +84,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
**Required?** Yes. At least one is required. **Required?** Yes. At least one is required.
- **LogDuration** or **LogEndDate** - **LogDuration** or **LogEndDate**
Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
@ -94,6 +96,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
**Required?** No. **Required?** No.
- **ListIdentifier** - **ListIdentifier**
Provides a friendly name for the list of pin rules. Provides a friendly name for the list of pin rules.
Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
@ -104,6 +107,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
The **PinRule** element can have the following attributes: The **PinRule** element can have the following attributes:
- **Name** - **Name**
Uniquely identifies the **PinRule**. Uniquely identifies the **PinRule**.
Windows uses this attribute to identify the element for a parsing error or for verbose output. Windows uses this attribute to identify the element for a parsing error or for verbose output.
The attribute is not included in the generated certificate trust list (CTL). The attribute is not included in the generated certificate trust list (CTL).
@ -111,6 +115,7 @@ The **PinRule** element can have the following attributes:
**Required?** Yes. **Required?** Yes.
- **Error** - **Error**
Describes the action Windows performs when it encounters a PIN mismatch. Describes the action Windows performs when it encounters a PIN mismatch.
You can choose from the following string values: You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
@ -120,6 +125,7 @@ The **PinRule** element can have the following attributes:
**Required?** No. **Required?** No.
- **Log** - **Log**
A Boolean value represent as string that equals **true** or **false**. A Boolean value represent as string that equals **true** or **false**.
By default, logging is enabled (**true**). By default, logging is enabled (**true**).
@ -130,6 +136,7 @@ The **PinRule** element can have the following attributes:
The **Certificate** element can have the following attributes: The **Certificate** element can have the following attributes:
- **File** - **File**
Path to a file containing one or more certificates. Path to a file containing one or more certificates.
Where the certificate(s) can be encoded as: Where the certificate(s) can be encoded as:
- single certificate - single certificate
@ -142,12 +149,14 @@ The **Certificate** element can have the following attributes:
**Required?** Yes (File, Directory or Base64 must be present). **Required?** Yes (File, Directory or Base64 must be present).
- **Directory** - **Directory**
Path to a directory containing one or more of the above certificate files. Path to a directory containing one or more of the above certificate files.
Skips any files not containing any certificates. Skips any files not containing any certificates.
**Required?** Yes (File, Directory or Base64 must be present). **Required?** Yes (File, Directory or Base64 must be present).
- **Base64** - **Base64**
Base64 encoded certificate(s). Base64 encoded certificate(s).
Where the certificate(s) can be encoded as: Where the certificate(s) can be encoded as:
- single certificate - single certificate
@ -162,6 +171,7 @@ The **Certificate** element can have the following attributes:
**Required?** Yes (File, Directory or Base64 must be present). **Required?** Yes (File, Directory or Base64 must be present).
- **EndDate** - **EndDate**
Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates. If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates.
@ -177,6 +187,7 @@ The **Certificate** element can have the following attributes:
The **Site** element can have the following attributes: The **Site** element can have the following attributes:
- **Domain** - **Domain**
Contains the DNS name to be matched for this pin rule. Contains the DNS name to be matched for this pin rule.
When creating the certificate trust list, the parser normalizes the input name string value as follows: When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed. - If the DNS name has a leading "*" it is removed.
@ -189,6 +200,7 @@ The **Site** element can have the following attributes:
**Required?** Yes. **Required?** Yes.
- **AllSubdomains** - **AllSubdomains**
By default, wildcard left hand label matching is restricted to a single left hand label. By default, wildcard left hand label matching is restricted to a single left hand label.
This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. This attribute can be set to "true" to enable wildcard matching of all of the left hand labels.