Hello
We need to add a new RA into the mix of our environment (an AirWatch RA) the default documentation states give the RA 'Issue and Manage certificate role on the CA, however this would also give the RA the revoke right too
You can revoke based on Serial Number only (rather than Template Name and Serial Number) therefore the RA could revoke a cert it did not issue (e.g. we give the RA rights to a specific template only for issuing) from another template (as I believe the template name used to create the certificate in the first instance is not relevant when it comes to revoking a certificate.
If my statement above is correct? is there a workaround to stop the RA revoking certs it did not issue (via a given template for example). or is this option MS is thinking about adding the AD CS.
Thanks All
Ernie