3.10 Example 10: Certificate Denied Due to Out-of-Sync Certificate Templates

This example represents another failure scenario for the Enroll for a Certificate - End Entity use case described in section 2.5.3.1. This example builds on the example in section 3.3 and describes a situation where two Active Directory servers are out-of-sync, resulting in a version mismatch between the certificate templates that are used by client and server. Due to this mismatch, the server rejects the request. Later, after the directory is synchronized, the client submits another request that results in the certificate being issued.

Initial System state and Prerequisites

This example is based on the following additional assumptions, in addition to ones that are described in the example in section 3.3:

  • There is more than one Active Directory server on this network that replicates periodically.

  • Active Directory replication occurs, as discussed in [MS-DRSR].

  • A CA administrator has the appropriate security permissions to make modifications to certificate templates that are stored within Active Directory. Modifications made to Active Directory are performed as specified within [MS-ADTS].

Sequence

The process and specific message flow in this example are as follows:

A. Query for available certificate templates from Active Directory server

B. Modify certificate templates with new policies

C. Request for a certificate

D. DRSR Directory replication

E. Request for a certificate

A. Query for certificate templates from the Active Directoryserver

Query for certificate templates from the Active Directory server

Figure 35: Query for certificate templates from the Active Directory server

  1. Upon startup, the CA-WCCE server requests the Active Directory server for certificate template data via an LDAP search request, as described in [MS-WCCE] section 3.2.2.1.

  2. The Active Directory server processes the request and responds with certificate template data in the format that is specified in [MS-WCCE] section 3.2.2.1.1.

  3. The CA-WCCE server registers itself to receive change notifications, as specified in [MS-ADTS] section 3.1.1.3.4.1.9, when an attribute of a certificate template is being modified in order to stay up-to-date with any changes and to avoid having to retrieve the templates for each request.

B. Modify certificate templates with new policies

Modify certificate templates after Directory replication

Figure 36: Modify certificate templates after Directory replication

  1. Later, the two Active Directory servers replicate their information between each other, as specified in [MS-DRSR].

  2. After the replication, a CA administrator, by using an LDAP client, modifies some of the certificate templates with new policies on Active Directory Server 2. Modifications to Active Directory are performed as detailed in [MS-ADTS].

C. Request for a certificate

Request for a certificate

Figure 37: Request for a certificate

  1. The WCCE client requests the certificate templates from the Active Directory server via an LDAP search request, as described in [MS-WCCE] section 3.2.2.1.

  2. The Active Directory server responds with certificate templates in the format that is specified in [MS-WCCE] section 3.2.2.1.

  3. The client creates a PKCS#10 request that is based on one of the certificate templates and submits it to the CA by calling the Request method specified in [MS-WCCE] section 3.1.2.4.2.

  4. As described in [MS-WCCE] section 3.2.2.6.2.1.4.2, the CA's policy algorithm verifies the certificate template version. The changes made on Active Directory Server 2 have not yet replicated to Active Directory Server 1. Because the CA has not been notified of the change to the template and the CA's certificate template instance is of an older version, the CA rejects a request and replies with error CERTSRV_E_BAD_TEMPLATE_VERSION.

D. DRSR Directory Replication

DRSR Directory Replication

Figure 38: DRSR Directory Replication

  1. Later, the two Active Directory servers replicate their information between each other, as specified in [MS-DRSR].

E. Request for a certificate

Request for a certificate

Figure 39: Request for a certificate

  1. Later, the client attempts again the request for the same certificate in the same way as step 8.

  2. This time, the CA has registered the change in Active Directory because it has registered for asynchronous notifications in step 2.

  3. The CA retrieves the updated certificate template data from the Active Directory Server 1, as specified in [MS-WCCE] section 3.2.2.1.1.

  4. The CA checks the policy defined by the certificate and issues the certificate. The CA constructs the new certificate, as defined by the certificate template (see [MS-WCCE] section 3.2.2.6.2.1.4), and returns the new certificate to the client.

Final System state