Enforcing Common Criteria Role Separation

Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, allow you to enforce Common Criteria role separation. By enforcing role separation, Certificate Services blocks any user account assigned two or more Common Criteria roles from all Certificate Services management activities.

For example, if a user is assigned both the CA administrator and certificate manager roles, the user cannot perform the tasks defined for either role. If a user is assigned multiple roles, the user is blocked from backing up the CA database, key pair, and logs when using any of the backup tools.

To enforce Common Criteria role separation, a local administrator of the computer must configure the RoleSeparationEnabled registry entry. This is done with the following procedure:

1. Type the following command at a Command Prompt: certutil -setreg CA\RoleSeparationEnabled 1

2. Restart Certificate Services.

If any users are assigned two or more roles, their administrative activities are blocked immediately.

Tip If you accidentally assign yourself two or more Common Criteria roles—thereby blocking yourself from PKI management tasks—a local oper ating system administrator must disable Common Criteria role separation by typing certutil -delreg CA\RoleSeparationEnabled and restart Certifi cate Services. With role separation disabled, a CA administrator or local administrator must fix the role assignments and re-enable Common Criteria role separation.

Role Separation and CA Certificate Renewal

The one scenario where role separation hinders PKI management activities is the case of CA certificate renewal. When a CA certificate is renewed, a user might have to hold different roles. The user:

■ Must be a CA administrator to publish an updated CRL.

■ Must be a local administrator to renew the CA certificate.

■ Must be a member of the local Administrators group to access the Local Machine store of a software-based cryptographic service provider (CSP), such as the Microsoft Strong Cryptographic Service Provider v1.0. Only members of the local Administrators group have the neces sary permissions to add or remove certificates from the Local Machine store.

■ Must be a member of the ForestRootDomain\Domain Admins or Enter prise Admins group to allow creation of the CDP and CA certificate objects within the Configuration Naming context.

■ A new CDP object is created in the CN=CAName,CN=CDP, CN=Pub lic Key Services,CN=Services,CN=Configuration, ForestRootDomain (where CAName is the NetBIOS name of the CA computer and ForestRootDomain is the LDAP distinguished name of the forest) container.

■ A new CA certificate object is created in the AIA container (CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration, ForestRootDomain).

■ A new CA certificate object is added to the NTAuth store (CN=NTAuthCertificates,CN=Public Key Services,CN=Services, CN=Configuration, ForestRootDomain).

■ If the CA is an enterprise CA, a new CA certificate object is created in the Enrollment Services container (CN=Enrollment Services, CN=Public Key Services,CN=Services,CN=Configuration, ForestRootDomain).

■ If the CA is an enterprise root CA, a new CA certificate object is cre ated in the Certification Authorities container (CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration, ForestRootDomain).

To accomplish the task of CA certificate renewal, temporarily disabling role separation during the CA certificate renewal process is recommended. Ensure that the account that performs the CA certificate renewal is a mem ber of the Enterprise Admins group, a member of the local Administrators group, and assigned the Manage CA permissions. Once the CA certificate renewal process is completed, role separation should be enforced.

Was this article helpful?

+1 0


  • lauri
    When role separation is enabled certman account does not work properly?
    1 year ago
  • winta
    What happens when role separation enabled with single cmd pki?
    4 months ago

Post a comment