Enable role separation

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To enable role separation

Caution

  • Before enabling role separation, make certain that no user is assigned to more than one role. If a user is assigned to more than one role and role separation is enabled, then the user will not be permitted to perform any activity for the Certificate Services service. For more information, see Role-based administration.

  1. Open Command Prompt.

  2. Type:

    certutil -setreg ca\RoleSeparationEnabled 1

  3. Open Certification Authority.

  4. In the console tree, click the name of the certification authority (CA).

    Where?

    • Certification Authority (Computer)/CA name

  5. On the Action menu, point to All Tasks, and click Stop Service to stop the service.

  6. On the Action menu, point to All Tasks, and click Start Service to start the service.

Value Description

certutil

Specifies the name of the command-line program.

-setreg

Modifies the registry.

ca\RoleSeparationEnabled

Indicates the registry value for role separation.

1

Specifies a value for the registry entry. A value of 1 enables role separation.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • Once role separation is enabled, a local Administrator will not be able to perform any role-based administration of the CA. This is because the local Administrator account has both the CA Backup Operator and CA Auditor user rights.

  • You can assign certification authority roles for role-based administration on servers running any version of the Windows Server 2003 family, but you can only enable role separation on servers running Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition, including the 64-bit versions of Windows Server 2003, Enterprise Edition and 64-bit versions of Windows Server 2003, Datacenter Edition.

  • To display the role separation setting, type:

    certutil -getreg ca\RoleSeparationEnabled

  • To view the complete syntax for this command, at a command prompt, type:

    certutil -setreg -?

  • To stop and restart the Certificate Services service at the command prompt, type:

    net stop certsvc

    net start certsvc

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Disable role separation
Add a certification authority administrator
Add a certificate manager
Role-based administration
Add a certification authority auditor
Add a certification authority backup operator
Start or stop the certification authority service