3.2.2.6.2.1.4.1 Verify Configured Certificate Template

After it receives a request, the server MUST first verify that the request is for a certificate that is based on a configured certificate template by performing the following steps:

  1. The CA MUST retrieve the certificate template identifier from the following four optional locations:

  2. The CA MUST map each of these identifiers to one of the certificate templates in its certificate template table in the following way:

    • A name identifier is mapped to the value of the cn attribute of a certificate template object that is stored in the Certificate_Template_Data column.

    • An OID identifier is mapped to the value of the msPKI-Cert-Template-OID attribute ([MS-CRTD] section 2.20) of a certificate template object that is stored in the Certificate_Template_Data column.

  3. The CA MUST validate that all the certificate template identifiers that are passed in the request are mapped to a single certificate template object. This certificate template is referred to as the certificate template for this request. If there are no certificate template identifiers, the CA MUST return a nonzero error. The error SHOULD be 0x80094800 (CERTSRV_E_UNSUPPORTED_CERT_TYPE). If the certificate template identifiers are mapped to more than one certificate template, the CA MUST return a nonzero error. The error code SHOULD be 0x80094802 (CERTSRV_E_TEMPLATE_CONFLICT).

  4. The CA MUST verify that the value of the Certificate_Template_IsConfigured column of the identified certificate template is True. If the value is False, the CA MUST fail the request. The error code SHOULD be 0x80094800 (CERTSRV_E_UNSUPPORTED_CERT_TYPE).