--- title: CertificateStore DDF file description: This topic shows the OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: D9A12D4E-3122-45C3-AD12-CC4FFAEC08B8 ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque ms.date: 12/05/2017 --- # CertificateStore DDF file This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). The XML below is the current version for this CSP. ``` syntax ]> 1.2 CertificateStore ./Vendor/MSFT This object is used to add or delete a security certificate to the device's certificate store. ROOT This store holds only root (self-signed) certificates. * The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. EncodedCertificate The base64 Encoded X.509 certificate. text/plain IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. text/plain IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. text/plain TemplateName text/plain System This store holds the System portion of the root store. * The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. EncodedCertificate The base64 Encoded X.509 certificate. text/plain IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. text/plain IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. text/plain TemplateName text/plain MY This store keeps all end-user personal certificates. User This store holds the User portion of the MY store. * The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. EncodedCertificate The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. text/plain IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. text/plain IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. text/plain TemplateName text/plain SCEP This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. * The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID. Install The group to represent the install request ServerURL Specify the cert enrollment server. text/plain Challenge Enroll requester authentication shared secret. text/plain EKUMapping Specify extended key usages. The list of OIDs are separated by plus “+”. text/plain KeyUsage Specify the key usage bits (0x80, 0x20, 0xA0) for the cert. text/plain SubjectName Specify the subject name. text/plain KeyProtection Specify where to keep the private key. text/plain RetryDelay When the SCEP server sends pending status, specify device retry waiting time in minutes. text/plain RetryCount When the SCEP sends pending status, specify device retry times. text/plain TemplateName Certificate Template Name OID (As in AD used by PKI infrastructure. text/plain KeyLength Specify private key length (RSA). text/plain HashAlgrithm Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter. text/plain CAThumbPrint Specify root CA thumbprint. text/plain SubjectAlternativeNames Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma. text/plain ValidPeriod Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template. text/plain ValidPeriodUnit Specify valid period unit type. text/plain Enroll Start the cert enrollment. text/plain CertThumbPrint Specify the current cert’s thumbprint. text/plain Status Specify the latest status for the certificate due to enroll request. text/plain ErrorCode Specify the last hresult in case enroll action failed. text/plain WSTEP The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment. CertThumprint The thumb print of enrolled MDM client certificate. text/plain Renew Under this node are the renew properties. RenewPeriod Specify the number of days prior to the enrollment cert expiration to prompt the user to renew. text/plain ServerURL Optional. Specifies the cert renewal server URL which is the discovery server. text/plain RetryInterval Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. text/plain ROBOSupport Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405. text/plain Status Show the latest action status for this certificate. text/plain ErrorCode If certificate renew fails, this node provide the last hresult code during renew process. text/plain LastRenewalAttemptTime Time of last attempted renew text/plain RenewNow Initiate a renew now text/plain RetryAfterExpiryInterval How long after the enrollment cert has expiried to keep trying to renew text/plain CA This cryptographic store contains intermediary certification authorities. * The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. EncodedCertificate The base64 Encoded X.509 certificate text/plain IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. text/plain IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. text/plain TemplateName text/plain System This store holds the System portion of the CA store. * The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. EncodedCertificate The base64 Encoded X.509 certificate. text/plain IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. text/plain IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. text/plain ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. text/plain TemplateName text/plain ```