3.2.2.6.2.1.4.2 Verify Certificate Template Version

The server MUST verify that the version of the certificate template that is submitted in the request is not newer than the certificate template that the server stores in its certificate template table. The server MUST perform the following steps:

1. If the certificate template does not have the msPKI-Template-Schema-Version attribute or if the attribute exists and its value is 1, the certificate template version is correct and the server MUST continue processing according to the rules specified in section 3.2.2.6.2.1.4.

2. If the attribute exists and its value is 2 or 3, the server MUST perform the following steps:

   1. The server MUST inspect the version information specified in the V2 template extension OID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" (as specified in section 2.2.2.7.7.2). If this extension is not specified in the request, the request is assumed to have (0, 0) as the (major, minor) version for the template.

   2. If the V2 template extension exists in the request and the specified major version is greater than the value of the revision attribute of the certificate template that is stored in the Certificate_Template_Data column, the request MUST be rejected with a disposition of error code CERTSRV_E_BAD_TEMPLATE_VERSION.

   3. If the V2 template extension exists in the request and the specified minor version is greater than the value of the msPKI-Template-Minor-Revision attribute of the certificate template that is stored in the Certificate_Template_Data column, the request MUST be rejected with a disposition of error code as CERTSRV_E_BAD_TEMPLATE_VERSION.