Assigning the Certificate Template Manager Role

Mon, 28 Mar 2011 11:04:23 | Certificate Security

Three separate tasks must be performed to assign the Certificate Template Manager role:

■ Delegate permissions to the Certificate Templates container in the Configuration naming context to create new certificate templates.

■ Delegate permissions to the OID container in the Configuration naming context to create new object identifiers (OIDs).

■ Delegate permissions to every existing certificate template in the Certificate Templates container in the Configuration naming context.

Chapter 10: Role Separation 223 Delegate Permissions for Creation of New Templates

You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=ForestRootDomain container, as follows:

1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.

2. Open the Active Directory Sites and Services console.

3. From the View menu, ensure that the Show Services Node option is enabled.

4. In the console tree, expand Services, expand Public Key Services, and click Certificate Templates.

5. In the console tree, right-click Certificate Templates and click Delegate Control.

6. In the Delegation of Control Wizard, click Next.

7. On the Users or Groups page, click Add.

8. In the Select Users, Computers, or Groups dialog box, type a user or group name and click OK.

9. On the Users or Groups page, click Next.

10. On the Tasks to Delegate page, click Create a Custom Task to Delegate and click Next.

11. On the Active Directory Object Type page, click This Folder, Existing Objects in this Folder, and Creation of New Objects in This Folder, and click Next.

12. On the Permissions page, in the Permissions list, enable Full Control and click Next.

13. On the Completing the Delegation of Control Wizard page, click Finish. Delegate Permissions for Creation of New OIDs

When a certificate template is created, an OID is generated to identify the certificate template. To create a new certificate template, a user must be delegated the permission to create new OIDs in the CN=OID,CN=Public Key Services,CN=Services, CN=Configuration,DC=ForestRootDomain container.

1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.

2. Open the Active Directory Sites and Services console.

3. On the View menu, ensure that the Show Services Node option is enabled.

4. In the console tree, expand Services, expand Public Key Services, right-click OID, and click Properties.

5. In the OID Properties dialog box, on the Security tab, click Add.

6. In the Select Users, Computers, or Groups dialog box, type the names of the users or groups you want to delegate certificate management permissions, and click OK.

7. In the OID Properties dialog box, select the users or groups that you want to add, enable the Allow check box for Full Control for each entry, and click OK.

Delegate Permissions to Every Existing Certificate Template in the Certificate

Once you delegate permissions for creating and modifying new certificate templates, you must modify the permissions of the existing certificate templates.

You can run the script file that follows to delegate permissions to a custom universal group. The script file assumes that only the 31 default certificate templates exist. If you create any other certificate templates, you must modify the script to include the additional certificate templates created before executing the script file.

On the Resource Kit CD A copy of this script is included on the accompa nying CD-ROM. The script, DelegateTemplateModification.cmd, must be modified to replace the example\TemplateAdministrators group with the name of the custom universal group deployed in your forest.

Note This script requests that Windows Support Tools are installed to allow the use of the dsacls.exe command.

@echo off echo Add custom ACEs for the TemplateAdministrators group dsacls "CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=CAExchange,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO dsacls

"CN=CEPEncryption,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=ClientAuth,CN=Certificate Templates,CN=Public Key Services,CN=Services,

CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=CodeSigning,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=CrossCA,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=CTLSigning,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=DomainController,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=DomainControllerAuthentication,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=EFSRecovery,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=EnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=EnrollmentAgentOffline,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=ExchangeUser,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=ExchangeUserSignature,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=IPSecIntermediateOffline,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=IPSecIntermediateOnline,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=KeyRecoveryAgent,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=MachineEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services, CN=Services,CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=RASAndIASServer,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=SmartCardLogon,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=SmartCardUser,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

dsacls "CN=Workstation,CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration,DC=example,DC=com" /G example\TemplateAdministrators: SDDTRCWDWOLCWPRPCCDCWSLO

0 0
« 
 »

Related posts

Post a comment

  • Receive news updates via email from this site