What is PKI?
PKI (Public Key Infrastructure) represents everything such as software, processes, services, and encryption methods used to establish a secure transmission of data for communication and performing transactions. PKI is based on the exchange of digital certificates between the users and the servers internally or externally. These PKI solutions can be implemented using Active directory certificate services, which we are going to discuss in this article.
What is an Active Directory Certificate Service ?
Active Directory Certificate Service (AD CS) is a product that provides PKI-related customizable services (windows role services) to implement PKI solutions and functionalities, which are used to issue and manage PKI certifications. These PKI certificates are useful for security systems when trying to facilitate public key technologies.
The certificates that AD CS issues can be used to digitally sign and encrypt the electronic documents and messages that are being transferred between entities. Another use of these digital certificates issued by AD CS is that they can be used to authenticate a user or a device to access a protected network. Each role has a specific task, and it will create a complete solution when all these are working together. Using AD CS is a cost-effective and convenient way of building PKI.
AD CS Role services
Certification authority (CA)
CA is responsible for issuing digital certificates and managing their validity.
There are two types of CAs:
- Root CA
- Subordinate CA.
The use of these CA types in the network solution depends on the PKI design.
Certification Authority Web Enrollment
Users can connect to the CA through this web interface to submit certificate requests, retrieve already issued certificates, and even download the certificate chain. This service can be used in scenarios such as when the device is not connected to the domain or has a different operating system than Windows.
Users can use Online Responder to verify the status of the digital certificates. Unlike in a CRL (Certificate Revocation List), an online responder does not share the records of the entire list. It responds only with the status of a particular certificate once it gets a request from a user to check the status of that certificate. This makes the Online responder more efficient than a CRL as there is no unnecessary data transfer.
Network Device Enrollment Service (NDES)
Network devices with no domain (ex: routers, switches) can obtain certificates through this service. Additionally, they can get a one-time enrollment password for administration using the NDES service. NDES processes SCEP enrollment requests for the network devices and retrieves the pending requests from the certificate authority.
Certificate Enrollment Web Service (CES)
Devices that are not connected to the domain and the devices that are not a part of the domain can obtain a new certificate or renew the existing certificate using this web service. It provides an efficient and timely service when a user requests over HTTP rather than using the autoenrollment mechanism of a typical CA. Users can enroll from either the internet or intranet.
Certificate Enrollment Policy Web Service
This service enables users to obtain the policy information of certificate enrollments. It enables policy-based certificate enrollments, which are used in scenarios such as when a user/device is not joined to the network or cannot connect itself.
Benefits to Using AD CS
Automated Certificate Provisioning Management
Let’s consider that there is an endpoint that is set up online for the first time. A request is sent to the AD to check the certificate types that the endpoint has access to. Considering the response invoked by request, the endpoint then requests the appropriate certificates. By this time, these certificates are sent back to the endpoint and not installed. Or else Certificates can be automatically renewed. It benefits users by allowing them to use short-lived certificates and eliminate the burden of managing unexpected expirations.
Ability to pull from Active Directory
AD CS can directly take/ read data from the Active directory, where the user entities are registered. Now we can automatically insert the entity information to their certificates without going through and filling them manually. Simply said, we can use the existing endpoint identity to register certificates and avoid re-registration.
Defining Group Policy
We can define AD group policies ( here, the policies are the rules that are defined in the AD for a particular group of employees.) ADCS has an attribute/role-based access control making it easy to differentiate which users are allowed for what type of certificates.
- When there is a need to deploy intermediate CAs to client computers
- Extending certificate revocation period when particular delaying scenarios occurred
- Avoid a certain user group or installing an untrusted certificate
There is no need for separate user intervention during the installation as it is an automatic process.
Cost-Effective and secure service
AD CS enhances the security of your network by creating an identity for a user, service, or device which has a corresponding private key. It is a secure and efficient yet cost-effective solution for managing the certificates.
Supports multiple applications
AD CS supports many commonly used applications, including the following:
- Secure Socket Layer/Transport Layer Security (SSL/TLS)
- S/MIME – Secure/Multipurpose Internet Mail Extension
- VPN – virtual private network
- Secure wireless networks
- EFS – Encrypting File System
- IPsec – Internet Protocol security
- Smart card log-on systems
- Digital signatures.
Having active directories can be very helpful if your application is not automated.
The Downside of AD CS
- Hardware cost: – Specific secured hardware is required to store the private keys
- Managing validating service: – The methodologies used in validating certificates, creating, updating, and keeping CRLs must be thoroughly designed. The Online responders should be available all the time as the whole concept of ADCS is based on user requests which cost even more.
- Internal PKI design: – Designing PKI is a complex task that requires more expertise, knowledge, and attention since there is a security concern at every point of the whole PKI architecture. Furthermore, aligning with best practices is also a challenge as PKI design is a highly evolving area.
So far, the most widely used method has been using an AD CS and running an own CA as it offers many benefits, as we discussed. However, there are a few public CAs that offer integrations with Active directories. There is no need to manage an internal CA with this method but can obtain the same administration and automation advantages as usual. It is highly recommended to run your own CA if your organization wants to maintain complete control over the internal resources. Overall, the Active directory domain concept is an important tool for deploying PKIs regardless of the method we use to accomplish it.