3.1.1 | Configuring Network Adapters and IP Addresses | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator | | Build |
3.1.2 | Disabling Unnecessary Bindings | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Any account that is a member of the server’s Network Configuration Operators or Administrators groups. The local administrator has this permission by default and is the only user account that is available at this time. | | Build |
3.1.3 | Configuring NIC Teaming | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Any account that is a member of the server’s Network Configuration Operators or Administrators groups. The local administrator has this permission by default and is the only user account that is available at this time. | OS Network Configuration Owner | Build |
3.1.4 | Joining the Computer to the Domain | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Any authenticated user has permissions to join a computer with the domain. | User Role | Build |
3.2.1 | Preparing the capolicy.inf File | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Write permissions in the WINDOWS directory are required. The local administrator has this permission by default and is the only user account that is available at this time. | Server Owner | Build |
3.2.2 | Installing the CA Software Components | FFL-RT-CA-01, FFL-RT-CA-02 | Administrator@corp.contoso.com Installing the first enterprise CA in a forest must have Root Domain Administrator, Enterprise Administrator, and local Administrator permissions; all subsequent CA installs require Enterprise Administrator and local Administrator permission because the installation procedure must register the CA as an enrollment service in Active Directory. When the first CA is installed, also base objects are created in Active Directory. These objects are leveraged by subsequent CAs. | Forest Owner - Enterprise Admin | Build |
3.3.1 | Generating a Unique OID | FFL-RT-CA-01 | EntPKIadmin01@na.corp.contoso.com To create a new OID, the current account must have write permissions to the OID configuration container in Active Directory. Enterprise Administrators have this permission by default. Members of the custom EntPKIAdmins security group have appropriate permissions per the “General: Creating Active Directory Groups and Users” section in this guide. | Enterprise PKI Administrator | Build |
3.3.2 | Injecting the Policy Into the Certificate Request | FFL-RT-CA-01, FFL-RT-CA-02 | EntPKIadmin01@na.corp.contoso.com Technically, any account that has read and write permissions on the file folders that store to request and inf-files can prepare the certificate request. | Enterprise PKI Administrator | Build |
3.4 | Certificate Request Submission at Parent CA | FFL-SA-CA-02 | Local certRequester01 Submitting a certificate request requires enrollment permissions on the CA object. Without delegated CA permissions: Administrator-Any account that is a member of the Everyone group has certificate request permissions by default. The Administrator is a member of Everyone and is able to submit the certificate request. With delegated CA permissions: CertRequesters-Members of the custom security group CertRequesters can submit certificate requests to the CA because they have been permitted to request certificates. | Certificate requester | Operate |
3.5 | Certificate Approval at Parent CA | FFL-SA-CA-02 | Local CertManager01 Approving a certificate request requires certificate manager permissions on the CA object. Without delegated CA permissions: Administrator-The computers administrators group has certificate management permissions by default. With delegated CA permissions: CertManagers-A member of the Certificate Managers group must approve the CA certificate request when the request has been submitted. | Certificate Manager | Operate |
3.6 | Verifying CA and CRL Accessibility | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator This task requires read permissions on the CA and CRL distribution point. The distribution point is configured to allow anonymous read access. Because the local administrator is not a domain account, it behaves as an anonymous account. | CA owner | |
3.7 | Denying Certificate Request Permissions | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Managing CA permissions requires CA manager permissions on the CA object. The local administrator has this permission by default and is the only user account that is available at this time. | CA owner | Operate |
3.8.1 | Configuring the CA Service | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Write permissions in the Registry hive HKLM\SYSTEM\
CurrentControlSet\Services\CertSvc are required. Members of the local Administrators and Server Operators security groups can maintain the CA configuration in the registry. The local administrator has this permission by default and is the only user account that is available at this time. | Server Owner | Build |
3.8.2 | Installing a CA Certificate | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator The registry hive that maintains the CA certificates limits write permissions to members of the local administrators group by default. Because of the restrictive permissions on the certificate store, you must be a local administrator to perform this operation. The local administrator is also the only user account that is available at this time. The CA certificate installation is an operational task because it needs to be repeated every time when the CA certificate needs to be renewed. | CA owner | Operate |
3.8.3 | Post Configuration Tasks | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Permissions are required to start the CA service. Management permissions are required to detach the default certificate templates. | CA owner | Build |
3.8.4 | Verifying the CA Configuration | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Technically, any account with read permissions on the CA object can perform this operation. The local administrator has this permission by default and is the only user account that is available at this time. | Server Owner | Build |
3.9.1 | Verifying the CRL Publication On the Fileshare | CI Management Server | EntPKIpublisher01@na.corp.contoso.com Any account with read permissions on the publication file-share can verify the publication. | Enterprise PKI publisher | Operate |
3.9.2 | Verify Information in Active Directory | CI Management Server | EntPKIadmin01@na.corp.contoso.com Any account that is treated as authenticated user can be used to perform this task. | Enterprise PKI Administrator | Operate |
3.10 | Creating Local CA Management Accounts | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Members of the local administrators group only can create local user accounts. | Server owner | Build |
3.11 | Configuring Different CA Roles | CI Management Server | Administrator@corp.contoso.com The account requires CA management permissions and must be an authenticated domain user. | CA owner | Operate |
3.12 | Enforcing Role Separation | FFL-RT-CA-01, FFL-RT-CA-02 | Local Administrator Write permissions in the Registry hive HKLM\SYSTEM\
CurrentControlSet\Services\CertSvc are required. Members of the local Administrators and Server Operators security groups can maintain the CA configuration in the registry. The local administrator has this permission by default. | Server Owner | Operate |
3.13 | Issuing CA: Publishing the CA Certificate | FFL-RT-CA-01, FFL-RT-CA-02 | EntPKIpublisher01@na.corp.contoso.com The account requires logon locally permissions at the <PKIciManagementServer> and <PKIexManagmentServer> and file creating permissions on the Web server file shares. | Enterprise PKI publisher | Operate |
3.14 | Allowing Certificate Requests | FFL-RT-CA-01, FFL-RT-CA-02 | caAdmin01@na.corp.contoso.com The account requires manage permissions on the CA object and must have read permissions on the templates that should be assigned. | CA owner | Operate |
3.15 | Moving Servers to the Domain Organizational Unit | CI Management Server | Administrator@corp.contoso.com The account must have create and delete object permissions in the source and destination container/OU. | OU owner | Operate |
3.16 | Enabling Certificate Autoenrollment | CI Management Server | Administrator@na.corp.contoso.com The account requires domain Group Policy management permissions. | Domain Administrator | Operate |
3.17 | Configuring Certificate Authority Service Permissions | CI Management Server | Administrator@na.corp.contoso.com The account requires domain Group Policy management permissions. | Domain Owner | Operate |
