Restrict Certificate Managers

Applies To: Windows Server 2008

A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.

When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.

This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.

You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure. For more information, see Implement Role-Based Administration.

To configure certificate manager restrictions for a CA

  1. Open the Certification Authority snap-in, and right-click the name of the CA.

  2. Click Properties, and then click the Security tab.

  3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.

  4. Click the Certificate Managers tab.

  5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.

  6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.

  7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.

  8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.

  9. When you are finished configuring certificate manager restrictions, click OK or Apply.

Additional references