Why Do You Need Active Directory Certificate Services?

What is PKI?

PKI (Public Key Infrastructure) represents everything such as software, processes, services, and encryption methods used to establish a secure transmission of data for communication and performing transactions. PKI is based on the exchange of digital certificates between the users and the servers internally or externally. These PKI solutions can be implemented using Active directory certificate services, which we are going to discuss in this article. 

What is an Active Directory Certificate Service ?

Active Directory Certificate Service (AD CS) is a product that provides PKI-related customizable services (windows role services) to implement PKI solutions and functionalities, which are used to issue and manage PKI certifications. These PKI certificates are useful for security systems when trying to facilitate public key technologies.

The certificates that AD CS issues can be used to digitally sign and encrypt the electronic documents and messages that are being transferred between entities. Another use of these digital certificates issued by AD CS is that they can be used to authenticate a user or a device to access a protected network. Each role has a specific task, and it will create a complete solution when all these are working together. Using AD CS is a cost-effective and convenient way of building PKI. 

There are multiple ways to set up an active directory certificate service. They are named Azure PKI, AWS PKI, GCP PKI etc., based on the platform they are using.

AD CS Role services

Certification authority (CA)

CA is responsible for issuing digital certificates and managing their validity.

There are two types of CAs: 

  • Root CA
  • Subordinate CA. 

The use of these CA types in the network solution depends on the PKI design.

Certification Authority Web Enrollment

Users can connect to the CA through this web interface to submit certificate requests, retrieve already issued certificates, and even download the certificate chain. This service can be used in scenarios such as when the device is not connected to the domain or has a different operating system than Windows.

Online Responder

Users can use Online Responder to verify the status of the digital certificates. Unlike in a CRL (Certificate Revocation List), an online responder does not share the records of the entire list. It responds only with the status of a particular certificate once it gets a request from a user to check the status of that certificate. This makes the Online responder more efficient than a CRL as there is no unnecessary data transfer.

Network Device Enrollment Service (NDES)

Network devices with no domain (ex: routers, switches) can obtain certificates through this service.  Additionally, they can get a one-time enrollment password for administration using the NDES service. NDES processes SCEP enrollment requests for the network devices and retrieves the pending requests from the certificate authority.

Certificate Enrollment Web Service (CES)

Devices that are not connected to the domain and the devices that are not a part of the domain can obtain a new certificate or renew the existing certificate using this web service. It provides an efficient and timely service when a user requests over HTTP rather than using the autoenrollment mechanism of a typical CA. Users can enroll from either the internet or intranet.

Certificate Enrollment Policy Web Service

This service enables users to obtain the policy information of certificate enrollments. It enables policy-based certificate enrollments, which are used in scenarios such as when a user/device is not joined to the network or cannot connect itself.

ADCS-role-services

Benefits to Using AD CS

Using AD CS for certificate administration tasks can offer many benefits to users. Some of them are listed below.

Automated Certificate Provisioning Management

Let’s consider that there is an endpoint that is set up online for the first time. A request is sent to the AD to check the certificate types that the endpoint has access to. Considering the response invoked by request, the endpoint then requests the appropriate certificates. By this time, these certificates are sent back to the endpoint and not installed. Or else Certificates can be automatically renewed. It benefits users by allowing them to use short-lived certificates and eliminate the burden of managing unexpected expirations.

Ability to pull from Active Directory

AD CS can directly take/ read data from the Active directory, where the user entities are registered. Now we can automatically insert the entity information to their certificates without going through and filling them manually. Simply said, we can use the existing endpoint identity to register certificates and avoid re-registration.

Defining Group Policy

We can define AD group policies ( here, the policies are the rules that are defined in the AD for a particular group of employees.) ADCS has an attribute/role-based access control making it easy to differentiate which users are allowed for what type of certificates.

Examples :

  • When  there is a need to deploy intermediate CAs to client computers
  • Extending certificate revocation period when particular delaying scenarios occurred
  • Avoid a certain user group or installing an untrusted certificate

Silent Installation

There is no need for separate user intervention during the installation as it is an automatic process.

Cost-Effective and secure service

AD CS enhances the security of your network by creating an identity for a user, service, or device which has a corresponding private key. It is a secure and efficient yet cost-effective solution for managing the certificates.

Supports multiple applications

AD CS supports many commonly used applications, including the following:

  • Secure Socket Layer/Transport Layer Security (SSL/TLS)
  • S/MIME – Secure/Multipurpose Internet Mail Extension
  • VPN – virtual private network
  • Secure wireless networks
  • EFS – Encrypting File System
  • IPsec – Internet Protocol security
  • Smart card log-on systems
  • Digital signatures.

Having active directories can be very helpful if your application is not automated.

The Downside of AD CS

As discussed above, we can see that ADCS plays an intermediate role in certificate provisioning. However, it can be a bit difficult to manage when considering the following facts.

  • Hardware cost:  – Specific secured hardware is required to store the private keys

 

  • Managing validating service: – The methodologies used in validating certificates, creating, updating, and keeping CRLs must be thoroughly designed. The Online responders should be available all the time as the whole concept of ADCS is based on user requests which cost even more.

 

  • Internal PKI design:  – Designing PKI is a complex task that requires more expertise, knowledge, and attention since there is a security concern at every point of the whole PKI architecture. Furthermore, aligning with best practices is also a challenge as PKI design is a highly evolving area.

Conclusion

So far, the most widely used method has been using an AD CS and running an own CA as it offers many benefits, as we discussed. However, there are a few public CAs that offer integrations with Active directories. There is no need to manage an internal CA with this method but can obtain the same administration and automation advantages as usual. It is highly recommended to run your own CA if your organization wants to maintain complete control over the internal resources. Overall, the Active directory domain concept is an important tool for deploying PKIs regardless of the method we use to accomplish it.

Avatar for Shanika Wickramasinghe
Shanika Wickramasinghe

Senior Software Engineer at WSO2 which is the 6th largest Open Source Software Company in the World. My main skills are machine learning and software development. I have 5+ years of experience as a Software engineer.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x