3.3 Example 3: Enrollment from an Enterprise CA (Template-based Enrollment)
This example builds on the example in section 3.1 by introducing an enterprise CA. An enterprise CA uses certificate templates for all certificate enrollments. Certificate templates, as defined in [MS-CRTD], contain data for requesting and issuing certificates. Policy algorithms use certificate templates to determine how to respond to certificate requests. In this example, the caller creates a certificate request PKCS#10, as specified in [MS-WCCE] section 220.127.116.11.3.1.1, that is based on the certificate template. The enterprise CA then uses the template information to decide whether to issue the certificate, and if it does, how to construct the certificate.
Initial System State and Prerequisites
This example of certificate enrollment is based on the following assumptions:
The enterprise CA role is configured on the server to issue the certificates.
The certificate templates are stored in Active Directory as specified by [MS-CRTD].
The sequence of the steps for this example is organized into the following sections:
A. Query for available certificate templates from the Active Directory server.
B. Request for a certificate.
A. Query for available certificate templates from the Active Directory server
Figure 15: Query for available certificate templates from the Active Directory server
The Active Directory server processes the request and responds with certificate template data in the format that is specified in [MS-WCCE] section 18.104.22.168.1.
The CA-WCCE server registers itself to receive change notifications, as specified in [MS-ADTS] section 22.214.171.124.4.1.9, when an attribute of a certificate template is being modified in order to stay up-to-date with any changes and to avoid having to retrieve the templates for each request.
The WCCE client requests for the certificate templates from the Active Directory server via an LDAP search request as described in [MS-WCCE] section 126.96.36.199.
The Active Directory server responds with certificate templates in the format that is specified in [MS-WCCE] section 188.8.131.52.
B. Request for a certificate
Figure 16: Request for a certificate
The end entity, by using the WCCE client component, creates a PKCS#10 request based on one of the certificate templates and submits it to the CA by calling the Request method specified in [MS-WCCE] section 184.108.40.206.2.
The CA checks the policy that is defined in the certificate template and concludes that it is appropriate to issue the certificate (see [MS-WCCE] section 220.127.116.11.2.1.4). The CA constructs a new certificate, as defined by the certificate template (see [MS-WCCE] section 18.104.22.168.2.1.4), and sends a new certificate to the client.
Final System State