2.9.1.4 Certificates for Special Roles
Although not required by the protocol, it is a best practice to restrict the use of certificates that are issued for KRAs and enrollment agents by requiring explicit CA administrator approval. These certificates have special purposes in some of the scenarios for this system, as described in the Examples (section 3).