user permissions and digital certificates

I need to issue a code signing certificate to a user who does not have admin rights on our network. However, when I open the certificates mmc and request the new certificate the only options it gives me are Basic EFS and User.
Is there a way of giving this person rights to the certificates without giving them admin rights?

Any help would be much appreciated.

TJ
Toby_JAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

swinterbornCommented:
I am assuming you have admin rights to the CA and AD.

First, ensure that the CA is configured with the code signing template.
Open the Certification Authority MMC, expand the CA, and select Certificate Templates.
If the Code Signing template is not present, right click and select new/certificate template to issue

Second, in AD Sites and Services, give the user permission to use the code signing template - best practice would be to create a group for users who can sign code, put the group on the DACL, and add the user to the group.
The template is at Services/Public Key Services/Certificate Templates/CodeSigning

HTH
0
Toby_JAuthor Commented:
The code signing template is there as I've issued one to myself to test this however when I go into active directory I am unable to locate Services\Public Key Services\Certificate Templates\Codesigning. It may just be me but I've spent a good while searching through and it doesn't seem to be there.
0
swinterbornCommented:
Do you have multiple CA's on the network? Sounds like your code signing CA is a standalone CA - the certificates mmc retrieves the list of possible templates by parsing the Certificate Templates object in AD, so it can only ever request a cert from an Enterprise CA.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Toby_JAuthor Commented:
I set it up as an Enterprise and Stand-alone CA as I only have the one and it is only intended to issue certificates to a small number of users within our network.
0
swinterbornCommented:
It is either enterprise or stand alone - it can't be both
0
Toby_JAuthor Commented:
In that case it is enterprise, the only reason I thought stand alone is I looked at the policy module in the properties of the cert admin.
I basically followed microsofts instructions for setting up a CA. As I say it is the only one on the network and it only issues cert to authenticated users on our domain.
0
swinterbornCommented:
Not quite sure what's happening here, some things you can check:
If the user requests an ordinary user certificate using the certificates mmc, what happens?
If there's an error, what is it, if there isn't, check the CA mmc and verify a cert has been issued, etc.

You say the template isn't in AD, what part of the tree have you been able to find?
Are you on 2k or 2003 server?
0
Toby_JAuthor Commented:
When the user requests an ordinary user cert it is issued and installed fine. We're on Win2K server and in AD i can view Computer Configuration\Windows Settings\Security Settings\Public Key Policies\
User Configuration\Windows Settings\Security Settings\Public Key Policies\
http://support.microsoft.com/?kbid=256345 says to look in Computer Configuration\Windows Settings\Security Settings\ System Services but again I can't see the Certificate  Templates
0
Toby_JAuthor Commented:
After reading through http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm I realised that the Certificates template is not shown and after reading up on the net I found that I need to register Certtmpl.dll for the certificate template to show up in the mmc however I have been unable to get hold of this dll.
 Am I on the right track and can you help me with this dll?

Thanks for your help so far, much appreciated.
0
swinterbornCommented:
Wrong track I'm afraid. To view or  set the permissions on the template, you dont look in the GPO.
Open AD Sites and Services, on the view menu, select Show Services Node. Now drill down to Services/Public Key Services/Certificate Templates/CodeSigning.

If you can't find the codesigning template, what part of the tree in Sites and Services can you see?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Toby_JAuthor Commented:
You are spot on, if I could give you more points I would.

Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.