3.2 Server Role

The server implements the interfaces as specified in sections 3.2.1 and 3.2.2 of this protocol specification.

• The server MUST implement a CA policy algorithm as described in section 3.2.1.4.2.1.4.5 or section 3.2.2.6.2.1.4.

• The server MUST implement the standalone CA mode functionality specified in section 3.2.1 (except for section 3.2.1.4.3).

• The server SHOULD implement the ICertRequestD2 interface as specified in section 3.2.1.4.3.<65> See section 1.7 on how clients determine what interface is supported by the server.

• The server SHOULD implement enterprise certificate authority (enterprise CA) mode functionality. If the server implements multiple CA modes, then it MUST implement customer selection of a mode.<66>

• The server MAY implement one or more CA exit algorithms as described in section 3.2.1.4.2.1.4.9.

• The server MAY implement key archival, making it an advanced CA.<67>

• The server SHOULD return properties on its implementation by implementing ICertRequestD::GetCACert and ICertRequestD2::GetCAProperty methods as specified in sections 3.2.1.4.2.2 and 3.2.1.4.3.2, respectively.

The following sections describe the server modes:

• Server Mode: Standalone CA: This mode is a server to the Windows Client Certificate Enrollment Protocol that implements the minimum required server functionality. This mode is specified in section 3.2.1.

• Server Mode: Enterprise CA: This mode is a server to the Windows Client Certificate Enrollment Protocol that integrates with Active Directory and uses certificate templates [MS-CRTD] for its CA policy algorithm. This mode is specified in section 3.2.2.