Q: How can I implement the public key infrastructure (PKI) management roles that are defined in the Common Criteria Certificate Issuing and Management Components Security Level 4 standard?

A: The Common Criteria Certificate Issuing and Management Components (CIMC) standard defines requirements for the management of X.509 certificates. It defines four different protection levels, with Security Level 4 being the highest. You can find the latest version (currently version 1.5) of the CIMC standard on the Common Criteria website. To align with the CIMC Security Level 4, the Microsoft PKI software supports the following four PKI management roles: CA administrator, certificate manager, auditor, and backup operator.

To assign the CA administrator or certificate manager role to a Windows user account, you must change permissions on the level of the CA object. For the CA administrator role, you must give the user account the Manage CA permission. For the certificate manager role, you must give the Issue and Manage Certificates permission. To grant these permissions, open the Microsoft Management Console (MMC) Certification Authority snap-in, right-click the <CA_name> container in the left pane, and select Properties. Then, on the Security tab, you can add the user account and assign it the Manage CA or Issue and Manage Certificates permission.

To assign the auditor role, you must give a Windows user account the Manage Auditing and Security Log user right. To do so, on the Certification Authority (CA) server, open the MMC Group Policy Object Editor snap-in and load the Local Computer Policy. Expand the Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment container and assign the Manage auditing and security log user right to the user account. Similarly, to assign an account the backup operator role, you must give the user the Back up files and directories and Restore files and directories user rights from the Group Policy Object Editor.

For a detailed overview of what exact CA management actions are linked to each of these four roles, refer to the Microsoft article "Implement Role-Based Administration."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.