Ive tried to search for this, but am surprised nothing relevant came up. My apologies if this is an FAQ (I would guess it would be).
There seems to be at least a few regular tasks that need to be performed for online issuing CAs which scream to be automated via a Scheduled Task.
1) Backing up the CA DB.
2) Publishing new CRLs to appropriate CDP locations for an enterprise CA (which has LDAP locations in the active directory)
3) Publishing new CRLs simply to a local directory on the CA for a standalone issuing CA (ie, not a member of the domain).
I am assuming 1) is accomplished via certutil -backupdb as a scheduled task, and the identity it needs to run as needs to be a member of the Backup Operators group. Is there a smaller set of permissions than that (like "only allowed to backup CAs" or the like?)
2) is the more distressing in my current configuration - the task is currently running as a domain admin. What is the minimum permissions and/or group membership required for publishing CRLs via certutil -crl? The identity needs access to write into AD, right?
3) what is required to simply certutil -crl where the only location to publish to is C:\Windows\Certsrv\certenroll? I have a separate script that copies out to an http url.
If it matters, all servers are 2012.
Thanks in advance for your help -