Thanks e4d4 and Perry:
It seems that was the missing ingredient: I HAD been encrypting the cert via password. When I leave off the password I then can access the cert and symmetric key without it. Of course, this is in SSMS and I am DBO on the database, so now it's time to test a field user to see what we can see.
I'll post results when I have them, as I still do not know whether or not a standard user needs CONTROL permission against the cert and REFERENCE permission against the key.
Kurt
PS -the current code:
CREATE CERTIFICATE TestCert2
--ENCRYPTION BY PASSWORD = 'thisIsAP@$$w0rd'
WITH SUBJECT = 'Test certificate'
, START_DATE = '1/17/2013'
, EXPIRY_DATE = '03/26/2013';
OPEN SYMMETRIC KEY TestSymmetricKey2
DECRYPTION BY CERTIFICATE TestCert2 ;
--WITH PASSWORD = 'thisIsAP@$$w0rd';
UPDATE Sales.CreditCard_ENCRYPTION
SET CardNumbENC = EncryptBykey(Key_GUID('TestSymmetricKey2'), CardNumber);
SELECT
CardNumber
, CardNumbENC
, 'Decrypt' = CAST(DecryptByKey(CardNumbENC) AS nvarchar(50))
FROM
Sales.CreditCard_ENCRYPTION;