4.2 Access Control

The ACL of a certificate template can grant one permission that the default certificate server policy algorithm consults: the enrollment permissions. If an entity has the enrollment permission for a certificate type and requests that certificate, the enterprise certificate authority (enterprise CA) policy algorithm causes the certificate server to issue that kind of certificate to that entity.

One kind of certificate that can be issued is the Enrollment Agent certificate, which is a particularly powerful certificate. Because an Enrollment Agent is allowed to specify certificates to be issued to any subject, it can bypass corporate security policy. As a result, administrators need to be especially careful when allowing subjects to enroll for Enrollment Agent certificates.