You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates