Link Search Menu Expand Document

Setting Microsoft ADCS Template Permissions

In order to be able to issue certificates from your Microsoft CA via Certdog, the correct user-permissions must be set on the certificate template

Common practise is for a group to have the enroll permission on a template and a service account to be a member of this group. The service account can be created specifically for Certdog’s use. But stand-alone accounts may also be created for this purpose

However you manage your groups and user accounts, the requirement is that an account have the enroll permission on the template (directly or indirectly via group membership), and this can be configured as follows:

Open the Certificate Authority snapin:

image-20210620101115322

Select the Certificate Templates node, right click and choose Manage

image-20210620103520718

Right click the template you wish to issue certificates from and select Properties

image-20210620103822626

Select the Security tab and ensure that either the user/service account or the group (that the account is a member of) has the Enroll permission set. In the configuration shown above the PKI_CERT_ISSUERS group has the required permission. A service account (svc-certdog-ca) is a member of this group

Click OK

If this template is not already configured on the CA for issuance, perform the following:

Back on the Certificate Authority snapin, right click the Certificate Templates node and select New > Certificate Template to Issue

image-20210620104317315

Select the template and click OK

The account that has permissions on this template can now be configured as a Credential within Certdog and selected when configuring a Microsoft CA Certificate Issuer