Security around automated certificate management/request

Gil D
Tera Contributor

Looking for information regarding the security requirements for implementing automated certificate management, particularly the permissions required for the account used in the automated certificate request workflow:

 

The Microsoft Gateway user needs the following permissions:

  • CredSSP needs to be configured on the CA and MID Server.
  • The User should be part of Enterprise Admins.
  • The User should be in the Security Group of the Template used.
  • The User should have Read, Issue and Manage Certificates, Manage CA, and Request Certificates Permission in the CA.

 

https://docs.servicenow.com/bundle/utah-it-operations-management/page/product/discovery/concept/auto...

 

We are most concerned with the first two bullet points (especially the second). Granting these permissions, especially Enterprise Admins, is not something I would expect flies in most organizations. Has anyone managed to implement this with a more fine-grained set of permissions? Any help or guidance would be greatly appreciated on this subject!

0 REPLIES 0