Requesting an user-specific certificate in a tiered domain
Environment:
- A multi-tiered Active Directory (AD) where tier-specific admin accounts are restricted to log on to only their tier servers.
- Microsoft's Certificate Services (CS).
Let's say the CA tier is A and the admin requesting a Code Signing certificate is in tier C. The Code Signing certificate is a user-specific certificate. Since the admin in tier C is not allowed to log on to tier A, the admin will get an error.
Tiered AD environments have been around for some time, there should be a way for everyone to request certificates over the domain when given appropriate privileges in the certificate template. I have given Enroll privileges to all of my test admins in all tiers.
Requesting the same certificate in tier A was a success. Also, requesting machine-specific certificates from tier C works fine, since the log on restrictions apply to user accounts only.
The question is then, how would one configure AD and/or CS to allow all admins to request user-specific certificates from CS?
Making exceptions in the Deny access this computer from the network GPO is not an option since this would invalidate the tiering model.
I just thought that one way would be to set up additional tier-specific CS's, but that is a massive overkill to serve lower-tiered accounts user-specific certificates only. And creating a CS in tier D seems like asking for trouble. Is this a thing?