Customer add  "Manage CA" permission during FAS server configuration setup and plan to remove these permission setting for security reason. 

The "Manage CA" permission is only needed for service accounts during the initial setup

The "Manage CA" permission is only needed for service accounts during the initial setup .After setup, for ongoing operation, FAS requires only "Read" permission (to check CA status) and “Read” and “Enroll” permissions for the FAS server machine accounts on the relevant certificate templates.

https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/security.html
https://support.citrix.com/external/article?articleUrl=CTX310627-set-up-a-certificate-authority-shows-access-denied-in-fas-admin-console&language=en_US

Regarding the Citrix FAS server, could you confirm whether it is possible to remove the "Manage CA" permission for one of our service account “vdiservices” of the certificate?