1.3.3.1 Template IDs

  • Article

Certificate templates are designed to be stored in Active Directory, although any directory accessible by LDAP can hold certificate templates.<3>

Certificate templates constitute data that are shared among multiple computers and that therefore might not be current.

To accommodate nonfreshness of certificate templates, the certificate template data structure, as specified in [MS-CRTD], includes fields that can address freshness. These are:

  • msPKI-Template-Template-OID: The template's OID

  • revision: The template's major revision number

  • msPKI-Template-Minor-Revision: The template's minor revision number

If a customer who modifies a template would like to distinguish the new template from the previous one, that customer either can generate a new OID for the modified template, or can give the new template a higher major or minor revision value.<4>

If client software requires a template of a particular revision level or a particular OID, it can request a template by that OID and revision value. The protocol as defined here notifies the client whether the CA with which it is communicating has a template of that OID and at least that revision value; otherwise, the protocol returns an error. For more information, see section 3.1.2.4.2.2 and its subsections.

Note The protocol does not guarantee that the client and server implementations connect to the same Active Directory instance to retrieve templates. In addition, [MS-ADTS] does not guarantee that at any time two instances of Active Directory will be in sync and store the same data. Because of these limitations, the following scenarios are possible:

  • Permission changes are available to the client but are not available to the server, and vice versa.

  • Template modifications are available to the client but are not available to the server, and vice versa.

Certificate templates were designed to resolve some of the sync issues by allowing the client to identify the version of the certificate template it used when constructing the request. Specifications for the syntax of the template revision can be found in section 2.2.2.7.7.2.

In case of template version mismatch between the client and the server, the server fails a request that refers to a template with a higher version than the server has in its replica. If the server has a higher version than the one requested, the server uses the highest version available.