PKI (Public Key Infrastructure) represents everything such as software, processes, services, and encryption methods used to establish a secure transmission of data for communication and performing transactions. PKI is based on the exchange of digital certificates between the users and the servers internally or externally. These PKI solutions can be implemented using Active directory certificate services, which we are going to discuss in this article.
What is an Active Directory Certificate Service ?
Active Directory Certificate Service (AD CS) is a product that provides PKI-related customizable services (windows role services) to implement PKI solutions and functionalities, which are used to issue and manage PKI certifications. These PKI certificates are useful for security systems when trying to facilitate public key technologies.
The certificates that AD CS issues can be used to digitally sign and encrypt the electronic documents and messages that are being transferred between entities. Another use of these digital certificates issued by AD CS is that they can be used to authenticate a user or a device to access a protected network. Each role has a specific task, and it will create a complete solution when all these are working together. Using AD CS is a cost-effective and convenient way of building PKI.
CA is responsible for issuing digital certificates and managing their validity.
There are two types of CAs:
Root CA
Subordinate CA.
The use of these CA types in the network solution depends on the PKI design.
Certification Authority Web Enrollment
Users can connect to the CA through this web interface to submit certificate requests, retrieve already issued certificates, and even download the certificate chain. This service can be used in scenarios such as when the device is not connected to the domain or has a different operating system than Windows.
Online Responder
Users can use Online Responder to verify the status of the digital certificates. Unlike in a CRL (Certificate Revocation List), an online responder does not share the records of the entire list. It responds only with the status of a particular certificate once it gets a request from a user to check the status of that certificate. This makes the Online responder more efficient than a CRL as there is no unnecessary data transfer.
Network Device Enrollment Service (NDES)
Network devices with no domain (ex: routers, switches) can obtain certificates through this service. Additionally, they can get a one-time enrollment password for administration using the NDES service. NDES processes SCEP enrollment requests for the network devices and retrieves the pending requests from the certificate authority.
Devices that are not connected to the domain and the devices that are not a part of the domain can obtain a new certificate or renew the existing certificate using this web service. It provides an efficient and timely service when a user requests over HTTP rather than using the autoenrollment mechanism of a typical CA. Users can enroll from either the internet or intranet.
Certificate Enrollment Policy Web Service
This service enables users to obtain the policy information of certificate enrollments. It enables policy-based certificate enrollments, which are used in scenarios such as when a user/device is not joined to the network or cannot connect itself.
Let’s consider that there is an endpoint that is set up online for the first time. A request is sent to the AD to check the certificate types that the endpoint has access to. Considering the response invoked by request, the endpoint then requests the appropriate certificates. By this time, these certificates are sent back to the endpoint and not installed. Or else Certificates can be automatically renewed. It benefits users by allowing them to use short-lived certificates and eliminate the burden of managing unexpected expirations.
Ability to pull from Active Directory
AD CS can directly take/ read data from the Active directory, where the user entities are registered. Now we can automatically insert the entity information to their certificates without going through and filling them manually. Simply said, we can use the existing endpoint identity to register certificates and avoid re-registration.
Defining Group Policy
We can define AD group policies ( here, the policies are the rules that are defined in the AD for a particular group of employees.) ADCS has an attribute/role-based access control making it easy to differentiate which users are allowed for what type of certificates.
Examples :
When there is a need to deploy intermediate CAs to client computers
Extending certificate revocation period when particular delaying scenarios occurred
Avoid a certain user group or installing an untrusted certificate
Silent Installation
There is no need for separate user intervention during the installation as it is an automatic process.
Cost-Effective and secure service
AD CS enhances the security of your network by creating an identity for a user, service, or device which has a corresponding private key. It is a secure and efficient yet cost-effective solution for managing the certificates.
Supports multiple applications
AD CS supports many commonly used applications, including the following:
Having active directories can be very helpful if your application is not automated.
The Downside of AD CS
As discussed above, we can see that ADCS plays an intermediate role in certificate provisioning. However, it can be a bit difficult to manage when considering the following facts.
Hardware cost: – Specific secured hardware is required to store the private keys
Managing validating service: – The methodologies used in validating certificates, creating, updating, and keeping CRLs must be thoroughly designed. The Online responders should be available all the time as the whole concept of ADCS is based on user requests which cost even more.
Internal PKI design: – Designing PKI is a complex task that requires more expertise, knowledge, and attention since there is a security concern at every point of the whole PKI architecture. Furthermore, aligning with best practices is also a challenge as PKI design is a highly evolving area.
So far, the most widely used method has been using an AD CS and running an own CA as it offers many benefits, as we discussed. However, there are a few public CAs that offer integrations with Active directories. There is no need to manage an internal CA with this method but can obtain the same administration and automation advantages as usual. It is highly recommended to run your own CA if your organization wants to maintain complete control over the internal resources. Overall, the Active directory domain concept is an important tool for deploying PKIs regardless of the method we use to accomplish it.
Senior Software Engineer at WSO2 which is the 6th largest Open Source Software Company in the World. My main skills are machine learning and software development. I have 5+ years of experience as a Software engineer.
00votes
Article Rating
Subscribe
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.