The Certification Authority snap-in is for managing CAs, not the certificates they issue. A corresponding snap-in is intended just for managing certificates—the Certificates snap-in. Clients on your network can manage their own certificates by using the Certificates button on the Content tab of Microsoft Internet Explorer's Internet Options dialog box; it does most of what the snap-in can do without requiring that you give your users access to the snap-in.
The basic functions of the Certificates snap-in (along with its installation requirements) are discussed in the section "Managing Certificates" in Chapter 18. However, the behavior and functionality of the Certificates snap-in change slightly when you use it in a domain that has an enterprise or stand-alone CA—you'll notice two new items in the Certificates store: Other People and REQUEST. The Other People store allows you to manage certificates issued to people who aren't in your Active Directory; for example, you can use it as a repository for certificates issued to business partners by an outside CA. The REQUEST store holds certificate requests that are awaiting your approval decision.