3.1.3.2 Acquiring an SLC Chain
If the SLC field of the StoredConfiguration has not been initialized, a new SLC chain MUST be acquired. A server MUST<27> have an SLC chain that contains its unique public key, grants the server the right to issue certificates and licenses, and leads back to the common RMS root. Microsoft operates a publicly available RMS enrollment cloud service that signs an unsigned SLC and returns an SLC chain that leads back to the common RMS root. The service is open to all callers, performs no authentication and no authorization, and does not require the caller to meet any requirements. Microsoft retains no data.
This service is available for both synchronous and asynchronous requests. The server MUST send information about itself, such as its public key and GUID, to the cloud service. The cloud service uses this information to generate an SLC, sign it with its private key, append its own certificate chain, and return the result to the server:
Synchronous: https://activation.drm.microsoft.com/enrollment/enrollservice.asmx
Asynchronous: https://activation.drm.microsoft.com/offlineenroll/Enrollment.aspx