3.2.2.5 Initialization

In addition to the initialization steps documented in section 3.2.1.3, the server MUST perform the following initialization steps:

  1. Reads the list of objects under the certificate templates container in the working directory, by performing the processing rules specified in section 3.2.2.1.1 with input parameter InputContainer set to Certificate Templates Container.

  2. For each certificate template in CertificateTemplatesandEnrollmentServicesObjects returned in step 1 that does not have a msPKI-Template-Schema-Version attribute or has msPKI-Template-Schema-Version value of 0x1, 0x2, 0x3, or 0x4, the CA SHOULD create a new row in the Certificate Templates Replica table, store each certificate template object in a Certificate_Template_Data column, and set the value of the Certificate_Template_IsConfigured to False.<112>

  3. Reads the list of objects under the enrollment services container in the working directory by performing the processing rules specified in section 3.2.2.1.1 with input parameter InputContainer set to Enrollment Services Container.

    For each object in CertificateTemplatesandEnrollmentServicesObjects returned from section 3.2.2.1.1, the CA MUST look for the object that has the following characteristics:

    1. The object is of type pKIEnrollmentService as specified in section 2.2.2.11.2.

    2. The value of the cn field is equal to the sanitized value of cn in the subject field of the CA signing certificate.

  4. Looks at the certificateTemplates attribute of the object identified in step 3. This is a multiple-value string and each value of this attribute is a configured certificate template. For each value of this string, the server performs the following steps:

    1. Compares the value of the string to the value of the cn field for each certificate template that is stored in the Certificate_Template_Data column in the certificate template replica.

    2. If the values are equal, sets the value of the Certificate_Template_IsConfigured of the same row to True.

If the CA fails to complete any of the initialization steps in this section, the CA MUST continue to receive requests from clients. When the CA receives a request from a client, it MUST reattempt all the initialization steps, and if it still fails to initialize, it MUST return a nonzero error to the client.