Security around automated certificate management/request
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2024 11:37 AM
Looking for information regarding the security requirements for implementing automated certificate management, particularly the permissions required for the account used in the automated certificate request workflow:
The Microsoft Gateway user needs the following permissions:
- CredSSP needs to be configured on the CA and MID Server.
- The User should be part of Enterprise Admins.
- The User should be in the Security Group of the Template used.
- The User should have Read, Issue and Manage Certificates, Manage CA, and Request Certificates Permission in the CA.
We are most concerned with the first two bullet points (especially the second). Granting these permissions, especially Enterprise Admins, is not something I would expect flies in most organizations. Has anyone managed to implement this with a more fine-grained set of permissions? Any help or guidance would be greatly appreciated on this subject!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
I am not sure if you figured this out by now but here is what I did as far as service account permission to get the automated certificate request to work with my Microsoft CA.
Please note I only have this working in non prod at the moment so it is possible there are challenges I have not yet run into.
I did not have to give service account enterprise admin access.
- I created a standard AD account to use as a service account with no special AD permissions
- I made this account an admin on my Microsoft CA server
- I gave this account Read, Enroll, and auto enroll permission on the template I am using to issue certs
- I did need to change group policy setting on mid and ca server
Mid server
Gpedit > Computer Config > Admin Templates > System > Credentials Delegation
Allow Delegating fresh credentials - Enabled
added these values
wsman/*.domain
wsman/*
wsman/IP of microsoft CA server
wsman/Name of Microsoft CA server
added same entries to this GP setting
Allow delegating fresh credentials with NTLM-only server authentication
CA server
Gpedit > Computer Config > Admin Templates > System > Credentials Delegation
Allow Delegating fresh credentials - Enabled
added these values
wsman/*.domain
wsman/*
wsman/IP of mid server
wsman/Name of mid server