29 août 2024

Delgating ADCS PKI management to non domain admin

There is Microsoft official documentation on how to do delegate Active Directory Certificate Service (Public Key Infrastructure) management to non domain admin, I used this procedure to delegate CA management on windows server 2019 so it's still relevant

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786430(v=ws.11)

That's what I followed but what it doesn't tell you is what happen if after the delegation has been done the delegated users are unable to publish  new certificate template to issue. Well the answer is that the problem doesn't come from the delegation, it comes from the GUI, so you just need to use the Certutil command line tool to publish the new template. 

Built-in certutil.exe tool can be used to manage certificate templates on CA server locally or remotely:

  1. Log on to CA server or computer with Remote Server Administration Tools installed with CA Administrator permissions;
  2. Open elevated Command Prompt;
  3. If you are logged on CA server, type:
    certutil -SetCaTemplates +<TemplateCommonName>
    Replace <TemplateCommonName> with actual template’s common name. 


 certutil -setcatemplates +WebServerwithClientAuth
0: WebServerwithClientAuth: Adding
CertUtil: -SetCATemplates command completed successfully.

 I found the solution came on Greig Sheridan blog 

https://greiginsydney.com/

The specific topic is here: 

https://greiginsydney.com/server-2016-unable-to-set-certificate-to-issue/?unapproved=34677&moderation-hash=f8f7e9758fa7c079b382568dcb0aee87