3.2.2.6.2.1.4.7 Enforcing Configured Certificate Templates Issuance
If the CA uses the certificate template identifiers that are supplied in the request to enforce its issuance and enrollment policies, the CA MUST require that the identified certificate template is listed as a configured certificate template under the enrollment services container, as specified in section 2.2.2.11.2. The CA MUST adhere to the following rules:
Locate a pKIEnrollmentService object that has a cn value that is identical to the sanitized cn value of the Subject field in the CA certificate.
The certificateTemplates attributes of the object that is located in the preceding step MUST contain a string with a value that is identical to the value of the cn attribute of the certificate templates identified in the request.
If one or both of these steps fail, the enterprise CA MUST reject the request.