3.1.4.1.1.4.1 Building a List of CAs that Support a Particular Template

The client performs the following steps to build a list of certificate authorities (CAs) supporting the template specified by the TemplateName input:

  • Perform an LDAP search for the CA information (pKIEnrollmentService) objects (specified in [MS-WCCE] section 2.2.2.11.2) under the following container:

     "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=…"
    

    where "CN=Configuration,DC=…" is replaced with the value of the configurationNamingContext attribute (specified in [MS-ADTS] section 3.1.1.3.2.1) of the rootDSE object.

  • For each object in the search result:

    • If the ntSecurityDescriptor attribute of the object does not have Enroll permission, or has Enroll permission denied (specified in [MS-CRTD] section 2.5) for the user's security context, continue with the next object.

    • If the cACertificate attribute contains a value equal to the TemplateName field, add a value pair to the CAList where the name is set to the value of the cn attribute, and FQDN is set to the value of the dNSHostName attribute.