1.5.2 CA Name

The Certificate Services Remote Administration Protocol assumes that the client knows the name of the CA server that implements the DCOM interfaces specified in section 3.2.4. Windows-based clients discover Microsoft CAs by reading the certificate enrollment object in Active Directory (as specified by [MS-ADTS]) and by using LDAP (as specified in [RFC2559]).

The enrollment object that defines the names of the CAs is located under the CN=Enrollment Services, CN=Public Key Services, CN=Services, CN=Configuration, DC=ForestRootDomain container of Active Directory. Each CA has an entry with a class of pKIEnrollmentService, as specified in [MS-ADSC] section 2.222.

The cn attribute of pKIEnrollmentService is the CA name. The dNSHostName attribute ([MS-ADA1] section 2.185) of pKIEnrollmentService contains the machine name that hosts the CA service.