Versions 6.01 and above.
What rights do I need to grant a user so they will be able to renew, or revoke, certificates? Can a non-master admin renew certificates? Can the same rights be used to modify the server type of a application on the same certificate?
You do not have to be a master admin to renew, or revoke, certificates. To renew a certificate you need to grant your non master admin user View, Read and Write rights to the policy tree. To do this, follow these steps:
- Login with your master admin account using the WinAdmin User interface.
- Navigate to the policy tree, and click on the root of it.
- Click on the General tab, and then the rights tab.
- Using the green 'Add' button, browse to your non-admin user, and select it.
- For Active Director (AD) users you'll need to use a filter to ask Certificate Manager to search the AD tree, or forest, for the user/group you want to grant rights to. Ensure you are logged in with the AD master admin account to to this, and not with your local master admin account.
- Here's a screenshot to show the filter results. I've filtered on the text "admin""
- After you have selected the user, Click on the View, and Write rights (the Read right gets added as soon as you select the Write right).
- The below screenshot shows the username of "username1" being assigned the correct rights.
For more details on what rights are needed for specific tasks see chapter two of the "DIrector administration guide".