2.9.1.4 Certificates for Special Roles

Although not required by the protocol, it is a best practice to restrict the use of certificates that are issued for KRAs and enrollment agents by requiring explicit CA administrator approval. These certificates have special purposes in some of the scenarios for this system, as described in the Examples (section 3).