Q: How can I implement the public key infrastructure (PKI) management roles that are defined in the Common Criteria Certificate Issuing and Management Components Security Level 4 standard?

A:The Common Criteria Certificate Issuing and Management Components (CIMC) standard defines requirements for the management of X.509 certificates. Itdefines four different protection levels, with Security Level 4 being the highest. You can find the latest version (currently version 1.5) of the CIMCstandard on the Common Criteria website. To align with the CIMC Security Level 4, the Microsoft PKI softwaresupports the following four PKI management roles: CA administrator, certificate manager, auditor, and backup operator.

To assign the CA administrator or certificate manager role to a Windows user account, you must change permissions on the level of the CA object. Forthe CA administrator role, you must give the user account the Manage CA permission. For the certificate manager role, you must give theIssue and Manage Certificates permission. To grant these permissions, open the Microsoft Management Console (MMC) Certification Authoritysnap-in, right-click the container in the left pane, and select Properties. Then, on the Security tab, you can add the user account andassign it the Manage CA or Issue and Manage Certificates permission.

To assign the auditor role, you must give a Windows user account the Manage Auditing and Security Log user right. To do so, on theCertification Authority (CA) server, open the MMC Group Policy Object Editor snap-in and load the Local Computer Policy. Expand the Local ComputerPolicyComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment container and assign theManage auditing and security log user right to the user account. Similarly, to assign an account the backup operator role, you must give theuser the Back up files and directories and Restore files and directories user rights from the Group Policy Object Editor.

For a detailed overview of what exact CA management actions are linked to each of these four roles, refer to the Microsoft article "ImplementRole-Based Administration."