none
Permissions to create a Certificate Template RRS feed

  • Question

  • We have one offline CA and one online issuing CA and a Windows 2012 R2 Active Directory domain.

    I currently must log in as domain administrator to create a new certificate template using the Certificate Authority mmc console. I would like to instead designate a separate account to handle all administrative tasks.

    How can I assign another account the rights to create templates and manage the CA?

    Thanks!

    Wednesday, March 21, 2018 7:29 PM

Answers

  • We have one offline CA and one online issuing CA and a Windows 2012 R2 Active Directory domain.

    I currently must log in as domain administrator to create a new certificate template using the Certificate Authority mmc console. I would like to instead designate a separate account to handle all administrative tasks.

    How can I assign another account the rights to create templates and manage the CA?

    Thanks!

    Well, you can do that:

    1) create global or universal group called "Cert Template Editors", or whatever name you wish.

    2) grant this group permissions in the following AD containers:

    CN=Certificate Templates, CN=Public Key Services, CN=Services, {configuration naming context}
    CN=OID, CN=Public Key Services, CN=Services, {configuration naming context}

    3) add appropriate users and/or groups in this group in order to allow them to create/modify certificate templates.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.


    Sunday, March 25, 2018 3:21 PM

All replies

  • Hi,
    You can use the Certificate Manager Restrictions tab to restrict the group to manager certs based on a specific template to a specific global/universal group.

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 22, 2018 6:53 AM
    Moderator
  • Hi,
    You can use the Certificate Manager Restrictions tab to restrict the group to manager certs based on a specific template to a specific global/universal group.

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Did you try to read the original question?

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Sunday, March 25, 2018 3:18 PM
  • We have one offline CA and one online issuing CA and a Windows 2012 R2 Active Directory domain.

    I currently must log in as domain administrator to create a new certificate template using the Certificate Authority mmc console. I would like to instead designate a separate account to handle all administrative tasks.

    How can I assign another account the rights to create templates and manage the CA?

    Thanks!

    Well, you can do that:

    1) create global or universal group called "Cert Template Editors", or whatever name you wish.

    2) grant this group permissions in the following AD containers:

    CN=Certificate Templates, CN=Public Key Services, CN=Services, {configuration naming context}
    CN=OID, CN=Public Key Services, CN=Services, {configuration naming context}

    3) add appropriate users and/or groups in this group in order to allow them to create/modify certificate templates.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.


    Sunday, March 25, 2018 3:21 PM
  • Thanks! That was the answer I was looking for.

    Monday, March 26, 2018 7:17 PM
  • BTW, is there any way of managing both restricted enrollment agents and certificate managers by PowerShell? When the AD SG name is long enough, you can't see the full name for this SG. So would be great if it would be possible to at least dump configuration by using PowerShell or cmd-lets. <o:p></o:p>

    Many thanks in advance<o:p></o:p>

    Valerij<o:p></o:p>

    Monday, November 12, 2018 2:05 PM
  • Just to add to Vadmins great answer, you can apply these permissions from AD Sites & Services as well as ADSI Edit.

    Although I prefer using Domain Local groups to secure resources, especially in a multi-domain forest.

    Sunday, April 14, 2019 10:17 PM
  • Worked for me too.

    But was a bit confused because I forgot to wait for the replication between domains...

    Thanks Vadims!

    Tuesday, October 8, 2019 2:51 PM
  • HolyHa1fDead,

    You cannot use Domain Local groups for security PKI resources. They are stored in the Configuration naming context and are replicated to *all* domains in the forest. Domain Local Groups can only be used in their own domain (hence the need for Global or Universal resources).

    Your answer is true for file resources (local to that speciiic domain), but not for Configuration NC resources

    Brian

    Tuesday, October 8, 2019 9:18 PM