3.2.1.4.2.1.4.9 CA Exit Algorithm

The CA MAY implement one or more CA exit algorithms. In a Microsoft CA implementation, the CA exit algorithm is implemented via exit modules. Exit modules do not affect the Windows Client Certificate Enrollment Protocol in any way. The exit modules can perform the following tasks:

• If the certificate request contained the certFile attribute (specified in section 2.2.2.7.10), the default exit module publishes the issued certificate to the UNC path as specified in section 2.2.2.7.10.

• If the CA administrator configured the exit module to send email notifications on certificate issuance as specified in [MSFT-EXITMAIL], then the exit module sends email notifications.

The exit module can be configured as described in [MSFT-MODULES]. It can also be replaced as described in [MSDN-ICERTEXIT2].

If the CA implements exit algorithms, these algorithms SHOULD be stored in the Config_CA_Exit_Algorithm_Implementation_List data field, and MUST be triggered by the issuance of a certificate.

The CA SHOULD store the information about the number of CA exit algorithms it implements and their description in Config_CA_Exit_Count and Config_CA_Exit_Description_List respectively. This information can be requested by a client as described in sections 3.2.1.4.3.2.3 and 3.2.1.4.3.2.4.