3.9 Example 9: Certificate Denied by the Policy Algorithm

This example represents a failure scenario for the Enroll for a Certificate - End Entity use case described in section 2.5.3.1.

This example builds on the example in section 3.3.

Initial System State and Prerequisites

This example is based on the following additional assumption, in addition to ones that are described in the example in section 3.3:

  • The caller does not have permission to enroll.

Sequence

The process and specific message flow in this example are as follows:

A. Query for available certificate templates from the Active Directory server

B. Request for a certificate

A. Query for certificate templates from the Active Directory server

Query for available certificate templates from Active Directory server

Figure 33: Query for available certificate templates from Active Directory server

  1. Upon startup, the CA-WCCE server requests certificate template data from the Active Directory server via an LDAP search request, as described in [MS-WCCE] section 3.2.2.1.

  2. The Active Directory server processes the request and responds with certificate template data in the format that is specified in [MS-WCCE] section 3.2.2.1.1.

  3. The CA-WCCE server registers itself with the Active Directory server to receive change notifications, as specified in [MS-ADTS] section 3.1.1.3.4.1.9, when an attribute of a certificate template is being modified in order to stay up-to-date with any changes and to avoid retrieving the templates for each request.

  4. The end entity, by using the WCCE client, requests the certificate templates from the Active Directory server via an LDAP search request, as described in [MS-WCCE] section 3.2.2.1.

  5. The Active Directory server responds with certificate templates in the format that is specified in [MS-WCCE] section 3.2.2.1.

B. Request for a certificate

Request for a certificate

Figure 34: Request for a certificate

  1. The end entity, by using the WCCE client component, creates a PKCS#10 request that is based on one of the certificate templates and submits it to the CA by calling the Request method specified in [MS-WCCE] section 3.1.2.4.2.

  2. When the CA receives the request, the policy algorithm is checked to determine whether it is to be issued. The CA examines ntSecurityDescriptor of the certificate template that corresponds to the request to determine if the caller has the permissions that are required to enroll for that template, as specified in [MS-WCCE] section 3.2.2.6.2.1.4.3 and [MS-CRTD] section 2.5. In this example, the caller does not have permission, so the error 0x80094012L (CERTSRV_E_TEMPLATE_DENIED) is returned.

Final System State

  • The CA-WCCE Server stores the request fields in the Request table, as specified in [MS-WCCE] sections 3.2.1.4.2.1.4.4 and 3.2.1.4.2.1.4.5, with the status of the certificate (1) request and also the end entity details.