There is Microsoft official documentation on how to do delegate Active Directory Certificate Service (Public Key Infrastructure) management to non domain admin, I used this procedure to delegate CA management on windows server 2019 so it's still relevant
That's what I followed but what it doesn't tell you is what happen if after the delegation has been done the delegated users are unable to publish new certificate template to issue. Well the answer is that the problem doesn't come from the delegation, it comes from the GUI, so you just need to use the Certutil command line tool to publish the new template.
Built-in certutil.exe
tool can be used to manage certificate templates on CA server locally or remotely:
- Log on to CA server or computer with Remote Server Administration Tools installed with CA Administrator permissions;
- Open elevated Command Prompt;
- If you are logged on CA server, type:
certutil -SetCaTemplates +<TemplateCommonName>
Replace<TemplateCommonName>
with actual template’s common name.
certutil -setcatemplates +WebServerwithClientAuth 0: WebServerwithClientAuth: Adding CertUtil: -SetCATemplates command completed successfully.
I found the solution came on Greig Sheridan blog
The specific topic is here: