Defining PKI Management and Delegation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

It is important to define a PKI management model early in the process of designing your CA infrastructure. This PKI management model must complement your existing security management delegation plan and help you to meet Common Criteria requirements for role separation. To ensure that a single individual cannot compromise PKI services, it is best to distribute management roles across different individuals in your organization. This involves deciding which individuals are to perform each of the following tasks:

  • Creating or modifying existing CAs

  • Managing certificate templates

  • Issuing cross certificates

  • Issuing or revoking user certificates

  • Configuring and viewing audit logs

You can use discretionary access control lists (DACLs) to manage CA permissions and delegate CA management tasks.

Windows Server 2003 includes the following CA management roles:

  • Service Manager. Configures and manages Certificate Services for local users, assigns certificate managers, and renews CA certificates.

  • Certificate Manager. Issues and revokes certificates.

  • Auditor. Audits the actions of local administrators, service managers, and certificate managers.

The extent to which you separate roles depends on the level of security that you require for a particular service. Assign the fewest possible rights to users in order to achieve the greatest level of security. For example, you can adopt the following rules:

  • No user can assume the roles of both CA Administrator and Certificate Manager.

  • No user can assume the roles of both User Manager and Certificate Manager.

If you need stricter guidelines, you can include the following:

  • No user can assume the roles of both Auditor and Certificate Manager.

To facilitate this delegation process, you need to understand how various PKI administrative roles align with Windows Server 2003 administrative roles. Table 16.1 lists the Windows Server 2003 administrative roles that correspond to each PKI administrative role.

Table 16.1   PKI Administrative Roles and Their Corresponding Windows Server 2003 Administrative Roles

PKI Administrative Role Description Windows Server 2003 Administrative Role

PKI Administrator

Configures, maintains, and renews the CA.


Backup Operator

Performs system backup and recovery.

Backup Operator on the server on which the CA is running

Audit Manager

Configures, views, and maintains audit logs.

Local Administrator on the server on which the CA is running

Key Recovery Manager

Requests retrieval of a private key stored by the service.


Certificate Manager

Approves certificate enrollment and revocation requests.


User Manager

Manages users and their associated information.

Account Operators (or person delegated to create user accounts in Active Directory)


Requests certificates form the CA

Authenticated Users

Table 16.2 lists the actions that each PKI administrative role can perform.

Table 16.2   Actions Performed By PKI Administrative Roles

Action Enrollee CA Admin Certificate Manager Audit Manager Backup Operator Local Server Admin

Install a CA

          Table Bullet

Configure a CA

  Table Bullet       Table Bullet

Policy and exit module configuration

  Table Bullet        

Stop/start service

  Table Bullet       Table Bullet

Change configuration

  Table Bullet        

Assign user roles

  Table Bullet        

Establish user accounts

  Table Bullet       Table Bullet

Maintain user accounts

  Table Bullet       Table Bullet

Configure profiles

  Table Bullet       Table Bullet

Renew CA keys

          Table Bullet

Define key recovery agent(s)

  Table Bullet        

Define officer roles

  Table Bullet        

Enable role separation

  Table Bullet        

Issue/Approve certificates

    Table Bullet      

Deny certificates

    Table Bullet      

Revoke certificates

    Table Bullet      

Unrevoke certificates

    Table Bullet      

Renew certificates

    Table Bullet      

Enable, publish, or configure CRL schedule

  Table Bullet        

Configure audit parameters

      Table Bullet   Table Bullet

Audit logs


Table Bullet

  Table Bullet

Back up system

        Table Bullet Table Bullet

Restore system

        Table Bullet Table Bullet

Read CA properties, CRL

Table Bullet          

Request certificate

Table Bullet          

Read CA database

  Table Bullet Table Bullet Table Bullet Table Bullet  

Read CA configuration information

  Table Bullet Table Bullet Table Bullet Table Bullet  

Read issued, Revoked, pending certificates

  Table Bullet Table Bullet Table Bullet Table Bullet  


  • As you delegate roles and responsibilities, be sure to keep track of the permissions that you configure on certificate directories. Distributing access to a PKI to a number of individuals creates greater security risks.