184.108.40.206.2.1.4 CA Policy Algorithm
In addition to the rules specified in section 220.127.116.11.18.104.22.168.3, the server MUST adhere to the processing rules described in this section and subsections that describe how the CA policy algorithm has to be implemented using certificate templates:
The server MUST compare the version of the requested certificate template to the version of the certificate template stored in its certificate template table. See section 22.214.171.124.126.96.36.199.
The server MUST verify that the requester has enroll permission on the requested certificate template, by invoking the processing rules in section Verify End Entity Permissions (section 188.8.131.52.184.108.40.206) with input parameter Input_ntSecurityDescriptor set to the ntSecurityDescriptor attribute of the certificate template, and Input_SID set equal to the Per_Request.Caller_SID ADM element.
The server MUST construct the issued certificate. It MUST adhere to the processing rules on the certificate template attributes as specified in section 220.127.116.11.18.104.22.168. If the certificate template object has an msPKI-Template-Schema-Version attribute and it is set to 2, 3, or 4, the CA MUST also adhere to processing rules specified in section 22.214.171.124.126.96.36.199.
The certificate templates data structure is specified in [MS-CRTD].