Knowledge Base

A comprehensive guide for understanding, adding, and managing administrator accounts within Sectigo Certificate Manager (SCM). This article outlines administrator roles, privilege levels, troubleshooting steps, and common support tasks. 

1. Administrator Roles in SCM 

SCM includes three primary administrator roles, each with different visibility and permissions. 

MRAO — Master Registration Authority Officer 

• Full administrative control across all organizations and departments. 

RAO — Registration Authority Officer 

• Limited to assigned organizations/departments and certificate types. 

DRAO — Department Registration Authority Officer 

• Limited to assigned departments and certificate types. 

2. Administrator Account Types 

Administrator accounts can be created using the following types: 

• Standard — Username/password, certificate authentication, or IdP login. 

• IdP / IdP Template / Dynamic IdP Template — Assigned via identity provider attributes. 

• SAS (Sectigo Authentication Service) — For external users authenticated via SAS. 

• API — API-only access, no UI capabilities. 

3. Managing Administrators 

Administrators can be managed from: Settings → Admins 

Available actions: 

• View administrators 

• Add administrators 

• Edit administrator details 

• Suspend or activate accounts 

• Delete administrators 

4. Adding Administrators 

Follow these steps: 

1. Navigate to Settings → Admins → Add. 

2. Select the administrator type. 

3. Enter all required details. 

4. Assign the appropriate Role & Privileges. 

5. Privilege Matrix (Quick Reference) 

* RAO/DRAO privileges may require manual enabling depending on SCM version (e.g., SCM 25.4). 

6. Detailed Privilege Descriptions 

Below is the full breakdown of all administrator privileges. 

1. General Privileges 

Add/Edit/Delete Peer Admin 

Allows creation, modification, or deletion of admins at the same or lower role level. 

Automatically Approve Certificate Requests 

Auto-approves certificate requests submitted by the administrator. 

MS Agent Management (MRAO Only) 

Grants access to Settings → MS Agents, including agent installation and viewing discovered certificates/servers. 

Download Keys (Sectigo Key Vault) 

Allows download of private keys stored in Key Vault. 

Accept Customer License Agreements 

Allows acceptance of Sectigo CLAs on behalf of the organization. 

2. Domain Privileges 

Manage Domain Validations 

Includes: 

• Initiate DCV 

• Delete domain validation (MRAO only) 

• Delete DCV requests 

Manage Domains 

Allows adding, editing, and deleting domains. 

Approve Domain Delegations 

Approve domain delegation requests from equal or lower-level admins. 

3. SSL Certificate Privileges 

• Request SSL Certificates 

• Renew SSL Certificates 

• Replace SSL Certificates (e.g., for key compromise) 

4. Organization & Department Privileges 

Manage Organizations 

Includes management of: 

• Organization details 

• Certificate settings 

• Notification templates 

• ACLs 

• Domains 

Manage Departments 

Allows configuration of department structures and settings. 

Note: SCM version 25.4 introduced changes to several default privilege behaviors. 

5. Admin Security & API Privileges 

Web API Access 

Required for certificate automation platforms (e.g., Venafi/TPP). 

Allow SSL Auto Approval 

Allows API-driven automatic approval of SSL requests. 

6. Reporting Privileges 

Run Reports 

Provides access to: 

• Administrator activity reports 

• Certificate inventory reports 

• SSL issuance and lifecycle data 

7. Additional Role-Dependent Controls 

Revoke Certificates 

• MRAO: Always enabled 

• RAO/DRAO: Must be manually enabled 

Manage SSL Certificates 

Allows access to: 

• SSL settings 

• Notification templates 

• ACL controls 

• Org/Dept certificate policies 

Affected by SCM 25.4 default permission restructuring. 

7. Support Escalation Checklist 

Use this when RAO/DRAO users report missing permissions: 

1. Confirm the admin type. 

2. Confirm the assigned role. 

3. Verify assigned certificate types. 

4. Verify assigned organizations/departments. 

5. Check if Manage SSL Certificates is enabled. 

6. Check if Revoke Certificates is enabled. 

7. Check for SCM version-related privilege changes. 

8. Collect and escalate with:  

• Admin username 

• Org/Dept ID 

• Certificate type involved 

• Expected vs actual behavior 

8. Troubleshooting Notes 

Common issues include: 

• Missing privileges after SCM version upgrades 

• Incorrect organization/department assignments 

• RAO/DRAO permissions requiring manual enablement 

• Domain/validation actions restricted to MRAO 

9. Quick Administrative Tasks 

Add a Standard Admin 

1. Go to Settings → Admins → Add → Standard. 

2. Enter details. 

3. Assign Role & Privileges. 

4. Save. 

Edit an Admin 

1. Go to Settings → Admins. 

2. Select the admin. 

3. Click Edit. 

4. Adjust privileges or details. 

5. Save. 

Suspend/Activate via API 

Supported in SCM version 23.4+. 

Related Articles:  

Tags: