Delegated Installation for an Enterprise Certification Authority

 

Applies To: Windows Server 2012 R2, Windows Server 2012

By default, to install a root or subordinate certification authority (CA), you must be a member of the Enterprise Admins group, or Domain Admins for the root domain. By following the instructions in this topic, you can delegate control to an administrator who doesn’t have these high-privilege permissions. Installation by a low-privilege user helps to mitigate the Pass-The-Hash-Attack, with the security threats of lateral movement and privilege escalation, as documented by Microsoft Trustworthy Computing in the downloadable Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques paper.

Important

Delegated Installation for an Enterprise Certification Authority as described in this article succeeds only if certificate templates are present in Active Directory. If certificate templates are already present. the second, the third, and additional installations of the Enterprise CAs can be delegated as described. When the default Certificate Templates are not available in Active Directory, the installation of the first Enterprise CA fails. For the procedure show in this article to succeed for the first enterprise CA installation in the this forest, you must create a default certificate template in Active Directory:

  1. Open a command prompt with the run Run as administrator option.

  2. Run the following command only once for the given forest:

    certutil -installdefaulttemplates

Use the following procedure to prepare a forest so that a low-privilege administrator can install and configure an enterprise CA.

To prepare a forest for a CA delegated installation

  1. Create a security group (as an example, name it CAInstallGroup) and add user accounts to this group for the administrators who will install and configure the enterprise root CA or enterprise subordinate CA.

    You can create and configure this group by using Active Directory Users and Computers, or you can use Windows PowerShell.

    To use Windows PowerShell:

    1. Start a Windows PowerShell session with the Run as administrator option. For more information about using the Active Directory module for Windows PowerShell, see Active Directory Administration with Windows PowerShell in the Windows Server library.

    2. Use the New-ADGroup cmdlet to create a new security group, using the following example:

      New-ADGroup -Name "CAInstallGroup" -GroupScope Global -Description "Security group to install AD CS Certification Authority" -GroupCategory Security
      

      In this example, you can substitute your own name and description for the security group, and change the scope if required.

    3. Define a variable for a user account, using the Get-ADUser cmdlet for the user to add to the group, and then use the Add-ADGroupMember cmdlet to add that user to the group, using the following example:

      $user = get-aduser <user name>
      Add-ADGroupMember –identify “CAInstallGroup” – Members $user
      

      Repeat this command for additional users that you want to add to the group.

  2. Grant this security group Full Control to the Active Directory Public Key Service containers:

    1. Copy and save the following into a Windows PowerShell script that has the name Modify-PublicKeyServices.Acl.ps1:

      param(
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string]$group
      )
      
      $groupObj = Get-ADGroup $group
      $sidGroup = new-object System.Security.Principal.SecurityIdentifier $groupObj.SID
      
      # Get forest root domain
      $rootDomain = ([ADSI]"LDAP://RootDSE").ConfigurationNamingContext
      
      #Get public key services container full DN
      $publicKeyServicesContainer = "CN=Public Key Services,CN=Services,$rootDomain"
      set-location ad:\
      
      #Get ACL for public key services container
      $acl = get-acl $publicKeyServicesContainer
      
      #Create access rule to be added to ACL
      $accessRule = new-object System.DirectoryServices.ActiveDirectoryAccessRule(
          $sidGroup,
          [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
          [System.Security.AccessControl.AccessControlType]::Allow,
          [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All)
      
      #Add this access rule to the ACL
      
      $acl.SetAccessRule($accessRule)
      
      #Write the changes to the object
      set-acl -path $publicKeyServicesContainer -aclobject $acl
      set-location c:\
      
    2. Run the script by using the following command:

      Modify-PublicKeyServices.Acl.ps1 –group "CAInstallGroup"
      

      If you named the security group from Step 1 to have a different name from CAInstallGroup, substitute your preferred name in the command.

  3. Grant the security group permissions to add members to the Cert Publishers domain group:

    Open Active Directory Users and Computers and make sure that Advanced Features is enabled from the View menu, then do the following steps:

    1. Expand Users, right-click Cert Publishers and select Properties.

    2. Click the Security tab.

    3. Click Advanced.

    4. In the Advanced Security Settings for Cert Publishers dialog box, click Add and add the security group (for example, CAInstallGroup) that you created earlier.

    5. Select Write Members, and click OK three times.

  4. Grant the security group permissions to add members to the Pre-Windows 2000 Compatible Access group:

    1. Expand Builtin, right-click Pre-Windows 2000 Compatible Access, and select Properties.

    2. Click the Security tab.

    3. Click Advanced.

    4. In the Advanced Security Settings for Pre-Windows 2000 Compatible Access dialog box, click Add and add the security group (for example, CAInstallGroup) that you created earlier.

    5. Select Write Members, and click OK three times.

  5. For an enterprise subordinate CA only: For the Subordinate Certification Authority template, on the Security tab, grant Read and Enroll permissions to your security group.

An administrator who is not a member of the Enterprise Admins group or Domain Admins group but who is a member of the group that you created can now install and configure an enterprise CA.