Answered by:
View all certificates in CA database without being local administrator

Question
-
Answers
-
Thank you both for replying, much appreciated!
In my lab it seems it's enough for this user to be granted "Read" permissions for it to be able to execute "certutil -view" on the CA.
- Proposed as answer by Vadims PodansMVP Thursday, November 21, 2019 2:56 PM
- Marked as answer by Jim Bjurefeldt Friday, November 22, 2019 8:16 AM
All replies
-
User must be granted "Manage Certificates" permissions (CertSrv.msc -> Properties -> Security tab).
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.- Edited by Vadims PodansMVP Wednesday, November 20, 2019 8:47 AM
- Proposed as answer by Daisy ZhouMicrosoft contingent staff, Moderator Thursday, November 21, 2019 2:19 AM
-
Hello,
Thank you for posting in our TechNet forum.
According to my test in my test lab, if we grant one domain user Manage CA or Issue and Manage Certificates permission.
Logon CA server with domain Administrator account.
Open Certification Authorities ->right click CA name->Select Properties->Security tab->add the user account and grant the permission.
Then logon the CA server with this domain user account, we can run the command "certutil -view" successfully and got the result.
For more information about Manage CA and Issue and Manage Certificates permissions, we can refer to the following article.
AD CS Security Guidance
https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Edited by Daisy ZhouMicrosoft contingent staff, Moderator Thursday, November 21, 2019 3:01 AM
-
Thank you both for replying, much appreciated!
In my lab it seems it's enough for this user to be granted "Read" permissions for it to be able to execute "certutil -view" on the CA.
- Proposed as answer by Vadims PodansMVP Thursday, November 21, 2019 2:56 PM
- Marked as answer by Jim Bjurefeldt Friday, November 22, 2019 8:16 AM
-
Hi,
Thank you for your update and sharing. I’m very glad that the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Have a nice day!
Best Regards,
Daisy ZhouPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.