3.2.2.6.2.1.4 CA Policy Algorithm

In addition to the rules specified in section 3.2.1.4.2.1.4.1.3, the server MUST adhere to the processing rules described in this section and subsections that describe how the CA policy algorithm has to be implemented using certificate templates:

1. The server MUST verify that the request contains an identifier to a configured certificate template and is for a template configured to be issued by this CA. See section 3.2.2.6.2.1.4.1.

2. The server MUST compare the version of the requested certificate template to the version of the certificate template stored in its certificate template table. See section 3.2.2.6.2.1.4.2.

3. The server MUST verify that the requester has enroll permission on the requested certificate template, by invoking the processing rules in section Verify End Entity Permissions (section 3.2.2.6.2.1.4.3) with input parameter Input_ntSecurityDescriptor set to the ntSecurityDescriptor attribute of the certificate template, and Input_SID set equal to the Per_Request.Caller_SID ADM element.

4. The server MUST construct the issued certificate. It MUST adhere to the processing rules on the certificate template attributes as specified in section 3.2.2.6.2.1.4.1. If the certificate template object has an msPKI-Template-Schema-Version attribute and it is set to 2, 3, or 4, the CA MUST also adhere to processing rules specified in section 3.2.2.6.2.1.4.2.

The certificate templates data structure is specified in [MS-CRTD].