none
Allocating 'Issue and manage certificates' privilege to NDES service account

    Question

  • The instructions in step 2 here  mention that we should allocate the 'Issue and manage certificates' privilege to NDES service account for each template that is used by NDES, allowing NDES to revoke certificates as devices fall out of scope of a SCEP policy.

    As far as I know it is only possible to allocate this privilege on a 'per CA' basis, and not individually for each template.  

    Could anyone confirm one way or the other?

    thanks.

    Mike

    Wednesday, May 16, 2018 2:19 PM

Answers

  • With the newer CAs (2008 R2 or higher) you can limit the permissions on the Restrict Certificate Managers tab so that the permissions are limited to the templates issued by NDES.

    Brian

    Wednesday, May 16, 2018 5:02 PM

All replies

  • That is correct. The Issue and Manage Certificates" permission is a CA property.

    But, an NDES server can only be configured to issue certificates from a single CA. So you assign the Issue and Manage Certificates" permission on the CA configured for use by the NDES service.

    Brian

    Wednesday, May 16, 2018 2:49 PM
  • thanks Brian, thought as much.  Wondered if there may be any unnecessary risk associated with giving the rights to a service account, for templates unrelated to those issued through NDES.
    Wednesday, May 16, 2018 3:49 PM
  • With the newer CAs (2008 R2 or higher) you can limit the permissions on the Restrict Certificate Managers tab so that the permissions are limited to the templates issued by NDES.

    Brian

    Wednesday, May 16, 2018 5:02 PM
  • That's very helpful.  Many thanks.
    Thursday, May 17, 2018 7:47 AM