GCC ePKI API Update to accommodate Security Identifier (SID)
Jul 10, 2023
GCC ePKI API Update to accommodate Security Identifier (SID)
To address a certificate-based authentication vulnerability in domain controllers, Microsoft has published a requirement change to support security identifiers on Certificates for authentication purposes.
What is Security Identifier (SID)?
A Security Identifier (SID) is a unique identification number that a computer or domain controller uses to identify a user. It can be generated by using the command 'whoami /user' from a Windows computer." Then include a screenshot similar to this:
GCC EPKI API will be updated to accommodate the SID (Security Identifier) parameter for a user to provide a value by July 31, 2023. This parameter will be optional until the effective date of November 14, 2023.
IMPORTANT: New EPKI API documentation is available here: https://www.globalsign.com/en/repository/globalsign-api-for-epki-user-guide.pdf
SID parameter will be added to the following API commands:
OrderPkcs7 (OrderAndIssueCertificate) Request
<ns2:OrderAndIssueCertificate xmlns:ns2="https://system.globalsign.com/cr/ws/">
<Request>
<OrderRequestHeader>
<AuthToken>
<UserName> 30 String
<Password> 30 String
</AuthToken>
</OrderRequestHeader>
<ProfileID> MP20xxxxxxxxx
<ProductCode> EPKIPSDept, EPKIPSPersonal, EPKIPSPersonalPro, ePkiSmimeOnly
<Year> 1, 2, or 3
<CSR> 4000 String
<EFSOption>? true/false
<UPN>? 64 String
<SID>? 64 String
<SANRFC822EmailAddress> 255 String
<DnAttributes>
<CommonName> 64 String
(<OrganizationUnit>)? 64 String
(<OrganizationUnit>)? 64 String
(<OrganizationUnit>)? 64 String
(<Email>)? 255 String
</DnAttributes>
<SubscriberEmailAddress> 255 String
<PickupPassword> 256 String
(<EmailLanguage>)? 2 String
(<Extensions>
(<Extension>
<Name> 30 String
<Value> 30 String
</Extension>)*
</Extensions>)?
</Request>
</OrderAndIssueCertificate>
OrderPkcs12 Request
<ns2:OrderPkcs12 xmlns:ns2="https://system.globalsign.com/cr/ws/">
<Request>
<OrderRequestHeader>
<AuthToken>
<UserName> 30 String
<Password> 30 String
</AuthToken>
</OrderRequestHeader>
<ProfileID> MP20xxxxxxxxx
<PKCS12PIN> 117 String
<ProductCode> EPKIPSDept, EPKIPSPersonal, EPKIPSPersonalPro, ePkiSmimeOnly
<Year> 1, 2, or 3
<EFSOption>? true/false
<UPN>? 64 String
<SID>? 64 String
<SANRFC822EmailAddress> 255 String
<Renew>? true/false
<DnAttributes>
<CommonName> 64 String
(<OrganizationUnit>)? 64 String
(<OrganizationUnit>)? 64 String
(<OrganizationUnit>)? 64 String
(<Email>)? 255 String
</DnAttributes>
<SubscriberEmailAddress>? 255 String
(<EmailLanguage>)? 2 String
(<Extensions>
(<Extension>
<Name> 30 String
<Value> 30 String
</Extension>)*
</Extensions>)?
</Request>
</OrderPkcs12>
OrderCertificate Request
<ns2: OrderCertificate xmlns:ns2="https://system.globalsign.com/cr/ws/">
<Request>
<OrderRequestHeader>
<AuthToken>
<UserName> 30 String
<Password> 30 String
</AuthToken>
</OrderRequestHeader>
<ProfileID> MP20xxxxxxxxx
<ProductCode> EPKIPSDept, EPKIPSPersonal, EPKIPSPersonalPro, ePkiSmimeOnly
<Year> 1,2,3
<HasCSR>? true/false
<PKCS12Option>? true/false
<HasFortify>? true/false (ignore this)
<EFSOption>? true/false
<UPN>? 255 String
<SID>? 255 String
<SANRFC822EmailAddress> 255 String
<DnAttributes>
<CommonName> 64 String
(<OrganizationUnit>)? 64 String
(<OrganizationUnit>)? 64 String
(<OrganizationUnit>)? 64 String
<Email> 255 String
</DnAttributes>
<SubscriberEmailAddress> 255 String
<PickupPassword> 256 String
(<EmailLanguage>)? 2 String
(<Extensions>
(<Extension>
<Name> 30 String
<Value> 30 String
</Extension>)*
</Extensions>)?
</Request>
</OrderCertificate>
Related Articles
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.