Никаких. Запретите доступ в оснастку и настройте autoenroll.
https://technet.microsoft.com/en-us/...or=-2147217396
>>When subjects already hold a certificate, they need only Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.