3.2.2.6.2.1.4.1 Verify Configured Certificate Template
After it receives a request, the server MUST first verify that the request is for a certificate that is based on a configured certificate template by performing the following steps:
The CA MUST retrieve the certificate template identifier from the following four optional locations:
Name: From the CertificateTemplateName structure as specified in section 2.2.2.7.7.1.
Name: From the Enrollment-Name-Value pair as specified in section 2.2.2.7.10.
Name: From the pwszAttributes parameter of ICertRequestD::Request or ICertRequestD2::Request2 as specified in section 3.2.1.4.2.1.2.
OID: From the CertificateTemplateOID structure as specified in section 2.2.2.7.7.2.
The CA MUST map each of these identifiers to one of the certificate templates in its certificate template table in the following way:
A name identifier is mapped to the value of the cn attribute of a certificate template object that is stored in the Certificate_Template_Data column.
An OID identifier is mapped to the value of the msPKI-Cert-Template-OID attribute ([MS-CRTD] section 2.20) of a certificate template object that is stored in the Certificate_Template_Data column.
The CA MUST validate that all the certificate template identifiers that are passed in the request are mapped to a single certificate template object. This certificate template is referred to as the certificate template for this request. If there are no certificate template identifiers, the CA MUST return a nonzero error. The error SHOULD be 0x80094800 (CERTSRV_E_UNSUPPORTED_CERT_TYPE). If the certificate template identifiers are mapped to more than one certificate template, the CA MUST return a nonzero error. The error code SHOULD be 0x80094802 (CERTSRV_E_TEMPLATE_CONFLICT).
The CA MUST verify that the value of the Certificate_Template_IsConfigured column of the identified certificate template is True. If the value is False, the CA MUST fail the request. The error code SHOULD be 0x80094800 (CERTSRV_E_UNSUPPORTED_CERT_TYPE).