[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

user permissions and digital certificates

Posted on 2004-11-18
11
Medium Priority
?
194 Views
Last Modified: 2013-12-04
I need to issue a code signing certificate to a user who does not have admin rights on our network. However, when I open the certificates mmc and request the new certificate the only options it gives me are Basic EFS and User.
Is there a way of giving this person rights to the certificates without giving them admin rights?

Any help would be much appreciated.

TJ
0
Comment
Question by:Toby_J
  • 6
  • 5
11 Comments
 
LVL 5

Expert Comment

by:swinterborn
ID: 12640353
I am assuming you have admin rights to the CA and AD.

First, ensure that the CA is configured with the code signing template.
Open the Certification Authority MMC, expand the CA, and select Certificate Templates.
If the Code Signing template is not present, right click and select new/certificate template to issue

Second, in AD Sites and Services, give the user permission to use the code signing template - best practice would be to create a group for users who can sign code, put the group on the DACL, and add the user to the group.
The template is at Services/Public Key Services/Certificate Templates/CodeSigning

HTH
0
 

Author Comment

by:Toby_J
ID: 12646012
The code signing template is there as I've issued one to myself to test this however when I go into active directory I am unable to locate Services\Public Key Services\Certificate Templates\Codesigning. It may just be me but I've spent a good while searching through and it doesn't seem to be there.
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12647265
Do you have multiple CA's on the network? Sounds like your code signing CA is a standalone CA - the certificates mmc retrieves the list of possible templates by parsing the Certificate Templates object in AD, so it can only ever request a cert from an Enterprise CA.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:Toby_J
ID: 12652523
I set it up as an Enterprise and Stand-alone CA as I only have the one and it is only intended to issue certificates to a small number of users within our network.
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12654543
It is either enterprise or stand alone - it can't be both
0
 

Author Comment

by:Toby_J
ID: 12654668
In that case it is enterprise, the only reason I thought stand alone is I looked at the policy module in the properties of the cert admin.
I basically followed microsofts instructions for setting up a CA. As I say it is the only one on the network and it only issues cert to authenticated users on our domain.
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12655838
Not quite sure what's happening here, some things you can check:
If the user requests an ordinary user certificate using the certificates mmc, what happens?
If there's an error, what is it, if there isn't, check the CA mmc and verify a cert has been issued, etc.

You say the template isn't in AD, what part of the tree have you been able to find?
Are you on 2k or 2003 server?
0
 

Author Comment

by:Toby_J
ID: 12663837
When the user requests an ordinary user cert it is issued and installed fine. We're on Win2K server and in AD i can view Computer Configuration\Windows Settings\Security Settings\Public Key Policies\
User Configuration\Windows Settings\Security Settings\Public Key Policies\
http://support.microsoft.com/?kbid=256345 says to look in Computer Configuration\Windows Settings\Security Settings\ System Services but again I can't see the Certificate  Templates
0
 

Author Comment

by:Toby_J
ID: 12664393
After reading through http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm I realised that the Certificates template is not shown and after reading up on the net I found that I need to register Certtmpl.dll for the certificate template to show up in the mmc however I have been unable to get hold of this dll.
 Am I on the right track and can you help me with this dll?

Thanks for your help so far, much appreciated.
0
 
LVL 5

Accepted Solution

by:
swinterborn earned 2000 total points
ID: 12674259
Wrong track I'm afraid. To view or  set the permissions on the template, you dont look in the GPO.
Open AD Sites and Services, on the view menu, select Show Services Node. Now drill down to Services/Public Key Services/Certificate Templates/CodeSigning.

If you can't find the codesigning template, what part of the tree in Sites and Services can you see?
0
 

Author Comment

by:Toby_J
ID: 12674715
You are spot on, if I could give you more points I would.

Thanks for your help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Screencast - Getting to Know the Pipeline
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question