Active Directory Certificate Services Best Practices
In several companies across the world, Windows servers are the integral constituent of IT infrastructures. These companies, if required, set up a Public Key Infrastructure (PKI) for issuing digital certificates for their network. PKIs implement and manage certificates, which can be deployed for device authentication, securing web servers (SSL), encrypting emails (S/MIME), digital signatures for documents, and many more similar activities.
Yet, you’d be surprised to learn that many people are unaware that the two can be connected. This is where AD CS comes into the picture.
Active Directory Certificate Services (AD CS) is a Microsoft product for an on-premise PKI solution. It has been in existence for some time and provides digital certificates, public key cryptography, and digital signature capabilities for the organization.
However, if you have dabbled with PKI in the past, you would know that AD CS is not needed to build a CA. It is not needed for signature certificates or several other use cases readily available on the net.
So, why should you bother yourself with AD CS?
The clue here is “provisioning.” You know that it is simple to create your own CA or sign a few certificates with tools like OpenSSL. You can also buy a few certificates and install them manually, but what do you do when these same activities are needed to be done on a large scale?
AD CS permits your organization to distribute certificates from a CA at an extensive level, where the company employs thousands of employees and possibly uses even more machines.
How does AD CS do that?
Active Directory is a Windows domain network directory service. Hence, the foundation for each Active Directory deployment is Active Directory Domain Services (AD DS). It stores information about computers, groups, and users within a domain and also verifies their credentials, and sets the access rights. Learn more on ‘What is a Forest in Active Directory‘
Similar to how HR maintains all relevant information of employees in an organization, AD DS maintains information of the members of the domain. AD DS being the primary directory, information that is registered to this inventory may be attached by other Active Directory services, like AD CS.
Also Read
Active Directory Certificate Services Roles
AD CS is a collection of several role services that perform multiple tasks. One or more of these role services can be installed on a server as deemed necessary. The role services include:
- Certification Authority – This role service installs the primary CA component that allows a server to manage, issue, or revoke certificates for clients. This role service can be installed on several servers within the same root CA chain.
- Certification Authority Web Enrollment – Web-based distribution of certificates to clients is handled under this AD CS role service. It requires Internet Information Services (IIS) to be installed on the server.
- Certificate Enrollment Web Service – This service enables computers and users to enroll for certificates from a non-domain environment or remotely through HTTP.
- Online Responder – In this role, AD CS responds to individual client requests regarding details about the validity of specific certificates. It is used for large networks or complex networks where large Certification Revocation Lists (CRLs) need to be downloaded or when the network needs to handle extensive peaks of revocation activity.
- Certificate Enrollment Web Policy Service – This role service works with related Certificate Enrollment Web Service but provides policy information rather than certificates.
- Network Device Enrollment Service – This role service is for streamlining the way the network devices like routers receive certificates.
Having discussed the role services of AD CS, here are some of the best practices that should be followed if your organization deploys AD CS.
Active Directory Certificate Services Best Practices
Never Use Default AD CS Certificate Templates
Always ensure you have a plan in place before using AD CS templates. Always deploy templates that are necessary. Since the templates are designed as building blocks for duplication, always modify the templates that have been duplicated and leave the original ones. Remember you cannot create a new template.
Use identifiers to mark the duplicate templates like the name of the organization or something similar so that it becomes easy to reconcile and group them together.
Enterprise admins are capable of managing certificate templates by default. To change the settings, you would have to create a security group and assign role separation so that the admins you approve have access to the templates. This is important because misconfiguring your security settings can allow an end-user to access any type of certificate or create a new certificate, thus creating scope for theft.
You must create separate roles in Active Directory Certificate Services to provide greater control on Certificate Authority. The following table elaborates role separation for AD CS.
Security permission on servers
The table mentioned below summarizes certificate security permission in AD CS templates.
Lifecycle Management Of AD CS Certificate
Expiration Notification
You can always create an auto enrollment policy in Group Policy. This helps the AD Domain managed devices to renew certificates before expiration. There is, however, a drawback in this technique. The policy only works for AD managed devices. The good news is there are several third party software that can integrate with all MDMs so that you can deploy the auto enrollment policy on all devices.
Certificate Renewal Process
Microsoft provides certificate auto enrollment features that can be configured with GPO. This allows the devices to automatically enroll for new certificates when the existing certificate is in expiration mode.
To make this process work, you would have to configure an auto-enrollment policy and certificate template. The templates would have to be set with correct permissions like read and enroll. Create security groups if you are giving template access. Once you have configured the templates, assign them to your Enterprise CA so that auto enrollment can commence.
Remember, the auto enrollment process can only be done with the AD CS certificate template and GPO. For any non AD devices or MDMs, you would need external software to integrate with any MDM and push out the renewal policies.
More on AD CS Best Practices - Points To Consider
- Place database and transaction log files on separate hard drives maybe SAN
- Analyze and plan the requirement of Public Key Infrastructure or Active Directory Certificates in your organization before implementing certification authorities
- Keep the root certification authority offline and secure the signing key by hardware. Keep the key in a vault to minimize potential key compromise.
- Always use Certification Authority snap-in while changing security permissions for Certification Authority (CA)
- Never issue certificates directly to computers or users from the root certification authority
- Ensure there is a proper backup for the CA certificates, the CA database, and the CA keys
- Always point the client to subordinate certificates for any certificates
- Make sure that the key lifetimes are long enough to avoid renewal issues
- Ensure using Secure Socket Layer (SSL) when using web-based certificate enrollment
- Always review the security permission concepts and access control. Remember Enterprise Certification Authorities issue certificates based on the security permissions of the certificate requester.
- Use 2048 bit cryptographic length for both offline Root CA and Subordinate CA
Hierarchy - Active Directory Certificate Services
PKI must be implemented in hierarchical order to safely deliver certificates to applications, servers, and clients. The best possible way to do so is by deploying a Standalone Offline Root CA and Online Enterprise Subordinate CA
Offline Root CA means you have to close the CA once you obtain the CRL chain for Subordinate CA. Offline Root CA works in a workgroup and not as a domain member. Subordinate CA remains joined to the domain.
The validity period of Offline Standalone Root CA and Online Enterprise Subordinate CA is 10 years.
Benefits of Standalone Offline Root CA
- Provides CRL signoff capacity for Subordinate Authority
- The principal component of PKI infrastructure
- Provides Web Enrollment for Subordinate CA
- Maintain CAPolicy.inf to record certificate authority validity period and OID
Benefits of Online Enterprise Subordinate CA
- Issues certificates to clients
- Subordinate component of PKI infrastructure
- Management point of Certificate Infrastructure
- Signoff web certificates to clients
- Maintain CAPolicy.inf to record certificate authority validity period and OID
Audit Policy - Active Directory Certificate Services Best Practices
The below-mentioned audit policy should be selected for both the Certificate Authority.
- CA configuration should be changed
- CA database should have a backup and restore facility
- CA security settings should be changed
- Issuance and managing certificate requests
- Revoking certificates and publishing CRL
Backup Certificate Authority
- Backup CA database
- Backup Public Key
- Retention Policy – Daily/Incremental/Monthly/Full
While AD CS best practices have been discussed in detail, it is also essential to know what messy configurations should be avoided when
installing a Certificate Authority.
- Never install Certificate Authority on any Domain Controller or server with multiple roles unless you are a small organization with one or two servers in the organization.
- Never install both the Certificate Authorities in two different operating systems such as Windows Server 2016 and Windows Server 2019
- Never use 1024 bit cryptographic encryption key length
- Never keep Certificate Authorities in different update levels and patches.
Final Word
The bottom line is Active Directory Certificate Services can be a very robust tool for deploying PKI regardless of how you go about deploying it. The best practices are guidelines to do the same error-free.
