none
View all certificates in CA database without being local administrator RRS feed

  • Question

  • Hi,

    Is it possible to view all certificates in the CA database, e.g. "certutil -view", without being a member of LOCAL\Administrators?

    Thanks!

    Best regards,

    Jim Bjurefeldt

    Wednesday, November 20, 2019 7:50 AM

Answers

  • Thank you both for replying, much appreciated!

    In my lab it seems it's enough for this user to be granted "Read" permissions for it to be able to execute "certutil -view" on the CA.

    Thursday, November 21, 2019 12:20 PM

All replies

  • User must be granted "Manage Certificates" permissions (CertSrv.msc -> Properties -> Security tab).

    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.


    Wednesday, November 20, 2019 8:46 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    According to my test in my test lab, if we grant one domain user Manage CA or Issue and Manage Certificates permission.

    Logon CA server with domain Administrator account.
    Open Certification Authorities ->right click CA name->Select Properties->Security tab->add the user account and grant the permission.



    Then logon the CA server with this domain user account, we can run the command "certutil -view" successfully and got the result.









    For more information about Manage CA and Issue and Manage Certificates permissions, we can refer to the following article.

    AD CS Security Guidance
    https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 21, 2019 2:35 AM
    Moderator
  • Thank you both for replying, much appreciated!

    In my lab it seems it's enough for this user to be granted "Read" permissions for it to be able to execute "certutil -view" on the CA.

    Thursday, November 21, 2019 12:20 PM
  • Hi,
    Thank you for your update and sharing. I’m very glad that the problem has been solved. 

    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

    Have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 22, 2019 10:47 AM
    Moderator