Remove From My Forums

View all certificates in CA database without being local administrator

Question
0

Sign in to vote

Hi,

Is it possible to view all certificates in the CA database, e.g. "certutil -view", without being a member of LOCAL\Administrators?

Thanks!

Best regards,

Jim Bjurefeldt

Wednesday, November 20, 2019 7:50 AM

Reply

|

Quote

Answers

0

Sign in to vote
Thank you both for replying, much appreciated!

In my lab it seems it's enough for this user to be granted "Read" permissions for it to be able to execute "certutil -view" on the CA.
- Proposed as answer by Vadims PodansMVP Thursday, November 21, 2019 2:56 PM
- Marked as answer by Jim Bjurefeldt Friday, November 22, 2019 8:16 AM
Thursday, November 21, 2019 12:20 PM

Reply

|

Quote

All replies

0

Sign in to vote
User must be granted "Manage Certificates" permissions (CertSrv.msc -> Properties -> Security tab).

Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
- Edited by Vadims PodansMVP Wednesday, November 20, 2019 8:47 AM
- Proposed as answer by Daisy ZhouMicrosoft contingent staff, Moderator Thursday, November 21, 2019 2:19 AM
Wednesday, November 20, 2019 8:46 AM

Reply

|

Quote
0

Sign in to vote
Hello,
Thank you for posting in our TechNet forum.

According to my test in my test lab, if we grant one domain user Manage CA or Issue and Manage Certificates permission.

Logon CA server with domain Administrator account.
Open Certification Authorities ->right click CA name->Select Properties->Security tab->add the user account and grant the permission.

Then logon the CA server with this domain user account, we can run the command "certutil -view" successfully and got the result.

For more information about Manage CA and Issue and Manage Certificates permissions, we can refer to the following article.

AD CS Security Guidance
https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Daisy ZhouMicrosoft contingent staff, Moderator Thursday, November 21, 2019 3:01 AM
Thursday, November 21, 2019 2:35 AM

Reply

|

Quote

Moderator
0

Sign in to vote
Thank you both for replying, much appreciated!

In my lab it seems it's enough for this user to be granted "Read" permissions for it to be able to execute "certutil -view" on the CA.
- Proposed as answer by Vadims PodansMVP Thursday, November 21, 2019 2:56 PM
- Marked as answer by Jim Bjurefeldt Friday, November 22, 2019 8:16 AM
Thursday, November 21, 2019 12:20 PM

Reply

|

Quote
0

Sign in to vote

Hi，
Thank you for your update and sharing. I’m very glad that the problem has been solved.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Have a nice day!

Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, November 22, 2019 10:47 AM

Reply

|

Quote

Moderator

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

View all certificates in CA database without being local administrator

Question

Answers

All replies