Security around automated certificate management/request

Gil D
Tera Contributor

Looking for information regarding the security requirements for implementing automated certificate management, particularly the permissions required for the account used in the automated certificate request workflow:

 

The Microsoft Gateway user needs the following permissions:

  • CredSSP needs to be configured on the CA and MID Server.
  • The User should be part of Enterprise Admins.
  • The User should be in the Security Group of the Template used.
  • The User should have Read, Issue and Manage Certificates, Manage CA, and Request Certificates Permission in the CA.

 

https://docs.servicenow.com/bundle/utah-it-operations-management/page/product/discovery/concept/auto...

 

We are most concerned with the first two bullet points (especially the second). Granting these permissions, especially Enterprise Admins, is not something I would expect flies in most organizations. Has anyone managed to implement this with a more fine-grained set of permissions? Any help or guidance would be greatly appreciated on this subject!

1 REPLY 1

Nolan3
Mega Guru

I am not sure if you figured this out by now but here is what I did as far as service account permission to get the automated certificate request to work with my Microsoft CA.  

Please note I only have this working in non prod at the moment so it is possible there are challenges I have not yet run into.  

 

I did not have to give service account enterprise admin access. 

 

  • I created a standard AD account to use as a service account with no special AD permissions
  • I made this account an admin on my Microsoft CA server
  • I gave this account Read, Enroll, and auto enroll permission on the template I am using to issue certs
  • I did need to change group policy setting on mid and ca server

Mid server

Gpedit > Computer Config > Admin Templates > System > Credentials Delegation

Allow Delegating fresh credentials - Enabled

added these values

wsman/*.domain

wsman/*

wsman/IP of microsoft CA server

wsman/Name of Microsoft CA server

 

added same entries to this GP setting

Allow delegating fresh credentials with NTLM-only server authentication

 

CA server

Gpedit > Computer Config > Admin Templates > System > Credentials Delegation

Allow Delegating fresh credentials - Enabled

added these values

wsman/*.domain

wsman/*

wsman/IP of mid server

wsman/Name of mid server