Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The CA consists of two distinct groups. One group of components is responsible for the certificate enrollment and the other for CA system administration. The two groups communicate through shared data and the interaction between them is defined in [MS-WCCE] and [MS-CSRA].
The following diagrams show the protocols and their interaction with shared data.
Figure 5: Certificate authority (CA) in stand-alone mode
Figure 6: Certificate authority (CA) in enterprise mode
CA policy algorithm
The CA policy algorithm is a required component of the system. Requests for new and renewed certificates are subject to the policy algorithm. It determines whether a certificate request is to be fulfilled, denied, or set to pending administrator approval. For example, a system implementing the enterprise CA functionality that is specified in [MS-WCCE] section 3.2.2 verifies that the requestor has Enroll permission on the requested certificate template. The policy algorithm and rules for its implementation are defined in [MS-WCCE] sections 3.2.1.4.2.1.4.5 and 3.2.2.6.2.1.4.
CA exit algorithm
The CA exit algorithm is an optional internal component responsible for request post-processing, which can include communicating via another protocol. For example, the CA could send email notifications to the end entity and system administrator when a new certificate is generated. The exit algorithm and rules for its implementation are defined in [MS-WCCE] section 3.2.1.4.2.1.4.9.
CA data storage
The method that is used for data storage is independent of the protocols and interfaces that are described in this document. The implementer can use a general-purpose database, files stored in the operating system's native file system, or whatever is preferred. The data that has to be stored is described in [MS-WCCE] section 3 and [MS-CSRA] section 3.