--- title: CertificateStore DDF file description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider. ms.date: 06/28/2024 --- # CertificateStore DDF file The following XML file contains the device description framework (DDF) for the CertificateStore configuration service provider. ```xml ]> 1.2 CertificateStore ./Device/Vendor/MSFT This object is used to add or delete a security certificate to the device's certificate store. 10.0.10586 1.0 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; ROOT This store holds only root (self-signed) certificates. The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. CertHash The SHA1 hash for the certificate. EncodedCertificate The base64 Encoded X.509 certificate. IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. TemplateName Returns the certificate template name. System This store holds the System portion of the root store. The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. CertHash The SHA1 hash for the certificate. EncodedCertificate The base64 Encoded X.509 certificate. IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. TemplateName Returns the certificate template name. MY This store keeps all end-user personal certificates. User This store holds the User portion of the MY store. The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. CertHash The SHA1 hash for the certificate. EncodedCertificate The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. TemplateName Returns the certificate template name. SCEP This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID. UniqueID Install The group to represent the install request ServerURL Specify the cert enrollment server. Challenge Enroll requester authentication shared secret. EKUMapping Specify extended key usages. The list of OIDs are separated by plus “+”. KeyUsage Specify the key usage bits (0x80, 0x20, 0xA0) for the cert. SubjectName Specify the subject name. KeyProtection Specify where to keep the private key. RetryDelay When the SCEP server sends pending status, specify device retry waiting time in minutes. RetryCount When the SCEP sends pending status, specify device retry times. TemplateName Certificate Template Name OID (As in AD used by PKI infrastructure. KeyLength Specify private key length (RSA). HashAlgrithm Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter. CAThumbPrint Specify root CA thumbprint. SubjectAlternativeNames Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma. ValidPeriod Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template. ValidPeriodUnit Specify valid period unit type. Enroll Start the cert enrollment. CertThumbPrint Specify the current cert’s thumbprint. Status Specify the latest status for the certificate due to enroll request. ErrorCode Specify the last hresult in case enroll action failed. WSTEP The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment. CertThumprint The thumb print of enrolled MDM client certificate. Renew The parent node to group renewal related settings. RenewPeriod 42 Specify the number of days prior to the enrollment cert expiration to prompt the user to renew. [1-1000] ServerURL Optional. Specifies the cert renewal server URL which is the discovery server. RetryInterval 7 [1-1000] ROBOSupport true Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405. true True false False Status Show the latest action status for this certificate. Supported values are one of the following: 0 – Not started. 1 – Renewal in progress. 2 – Renewal succeeded. 3 – Renewal failed. ErrorCode If certificate renew fails, this node provide the last hresult code during renew process. LastRenewalAttemptTime Time of last attempted renew 10.0.14393 1.0 RenewNow Initiate a renew now 10.0.14393 1.0 RetryAfterExpiryInterval How long after the enrollment cert has expiried to keep trying to renew 10.0.15063 1.0 CA This cryptographic store contains intermediary certification authorities. The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. CertHash The SHA1 hash for the certificate. EncodedCertificate The base64 Encoded X.509 certificate IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. TemplateName Returns the certificate template name. System This store holds the System portion of the CA store. The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. CertHash The SHA1 hash for the certificate. EncodedCertificate The base64 Encoded X.509 certificate. IssuedBy The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. IssuedTo The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. ValidFrom The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. ValidTo The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. TemplateName Returns the certificate template name. ``` ## Related articles [CertificateStore configuration service provider reference](certificatestore-csp.md)