none
Private key permissions on ADCS issued certificate RRS feed

  • Question

  • What is best practice when assigning private key permissions to service accounts that need them when the certificates are issued via a certificate template in ADCS?

    If I manually assign permissions to grant a service account access to the private key of a computer certificate issued via an ADCS certificate template, will these permissions be removed when the certificate auto-renews? 

    If so, does this require a specific certificate template to a grant private key permissions to the service account?  I'd prefer not to do this if it requires a separate certificate template for each set of permissions.

    Wednesday, September 4, 2019 2:10 AM

All replies

  • Hi,

    Thanks for posting in our forum, and sorry for the delayed reply.

    >>What is best practice when assigning private key permissions to service accounts that need them when the certificates are issued via a certificate template in ADCS?

    Based on my experience, I will suggest you use option “Authorize additional service accounts to access the private key” under “Request Handling” tab to assign permission for service accounts.

    >> If I manually assign permissions to grant a service account access to the private key of a computer certificate issued via an ADCS certificate template, will these permissions be removed when the certificate auto-renews?

    As far as I know, it will not be removed.

    For your reference:

    https://winintro.ru/certtmpl.en/html/b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415.htm

    https://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 9, 2019 12:02 PM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    William

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 17, 2019 9:32 AM
  • Hi,

     

    Please remember mark all the useful replies as answer, it would be helpful to anyone who encounters similar issues.

     

    Best Regards,

     

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 25, 2019 2:47 AM