3.2.2.6.2.1.4.3 Verify End Entity Permissions

Input Parameters:

Input_ntSecurityDescriptor: The ntSecurityDescriptor attribute of the input template.

Input_SID: Contains the SID of the end entity requesting the certificate based on the input template.

Output Parameters:

TRUE or FALSE

Processing Rules:

The server MUST verify that the requester is allowed to enroll for the identified certificate template by following these steps:

  1. Invoke the processing rules in Determining enrollment permission of an end entity for a template (section 2.5.1) as specified in [MS-CRTD] section 2.5.1, by setting Template_ntSecurityDescriptor equal to Input_ntSecurityDescriptor, and Requester_SID equal to Input_SID.

  2. If the enrolling entity does not have the Enroll permission, as determined in the previous step, the CA MUST reject the request. The returned error code MUST be 0x80094012 (CERTSRV_E_TEMPLATE_DENIED).