3.1.4.1.1.4.1 Building a List of CAs that Support a Particular Template
The client performs the following steps to build a list of certificate authorities (CAs) supporting the template specified by the TemplateName input:
Perform an LDAP search for the CA information (pKIEnrollmentService) objects (specified in [MS-WCCE] section 2.2.2.11.2) under the following container:
"CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=…"
where "CN=Configuration,DC=…" is replaced with the value of the configurationNamingContext attribute (specified in [MS-ADTS] section 3.1.1.3.2.1) of the rootDSE object.
For each object in the search result:
If the ntSecurityDescriptor attribute of the object does not have Enroll permission, or has Enroll permission denied (specified in [MS-CRTD] section 2.5) for the user's security context, continue with the next object.
If the cACertificate attribute contains a value equal to the TemplateName field, add a value pair to the CAList where the name is set to the value of the cn attribute, and FQDN is set to the value of the dNSHostName attribute.