Countless organizations use Windows Server as the foundation of their IT infrastructure. Countless organizations also use PKI for various security needs (such as; securing web servers [SSL], certificate-based authentication, digital signatures for documents, encrypting emails [S/MIME]). However, we’re often surprised to learn how many people aren’t aware that the two can be connected. Enter Active Directory Certificate Services (AD CS).
What is Active Directory Certificate Services (AD CS)?
According to Microsoft themselves, AD CS is the “Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.”
Basically what this means is rather than going to a third party Certificate Authority (CA) to get PKI certificates and using their hosted services, you can actually handle this in-house.
Benefits to Using Active Directory Certificate Services (AD CS)
Using AD CS provides a number of benefits, mostly around certificate administration.
- Pull from Active Directory – You can use the existing endpoint identity information that exists in AD to register for certificates (to avoid re-registering).
- Leverage Existing Group Policy – You can configure AD Group Policies to dictate which users and machines are allowed which types of certificates.
- Automate Certificate Provisioning and Lifecycle Management – Once an endpoint comes online for the first time, a request is sent to AD to check which certificate types (called templates) the endpoint has access based on the Group Policy. Based on the results of that request, the endpoint requests the appropriate certificates, which are then sent back to the endpoint and installed. Certificates can be set to automatically renew, eliminating the worry over unexpected expiration and gaps in coverage.
- Silent Installation – As hinted above, the installation process is automatic and doesn’t require any end user (or IT) intervention.
The Downside to Active Directory Certificate Services (AD CS) – Running Your Own CA
Now after the benefits outlined above, you may be thinking, “sign me up!” But we can’t really talk about AD CS without discussing the other critical element to this type of PKI set-up – the internal CA (i.e. Microsoft) that provisions the certificates. AD CS is kind of the waiter in the scenario discussed above, taking requests from endpoints and delivering the appropriate certificates and it is an excellent waiter! It’s the “kitchen” (i.e. Microsoft CA) that can be a bit of a headache to manage.
We’ve covered the disadvantages of running an internal CA in the past, but they generally boil down to the same arguments you always face when trying to decide between outsourcing or handling internally. Think about it. Would you dedicate time, money and resources on developing an internal CRM? Or would you use one of the many readily available, SaaS options that were designed by experts?
PKI brings additional considerations to the discussion as well. Here are just a few examples:
- Hardware Costs – You need to protect and store your root and signing private keys on secure hardware (e.g. Hardware Security Module).
- Maintaining Validation Services – You need to ensure you have a way to check certificate validity, such as updating CRLs, keeping CRLs and running OCSP services.
- Internal PKI Expertise – PKI is complex and best practices are continually evolving. How will you ensure you maintain compliance?
Best of Both Worlds? An Active Directory Integration from a Third Party CA
Now for a long time and some people may still think this, the only way to leverage Active Directory for PKI and get all those awesome benefits was to use AD CS and run your own CA, but times have changed! A few public CAs (cough GlobalSign cough) now offer integrations with AD that give you the same administration and automation benefits without the need to manage a CA internally.
With these integrations, you can still leverage AD and Group Policy for certificate registration and assignments, but certificate requests are sent and responded to by the public SaaS-based CA. Certificates can still be automatically provisioned, renewed and silently installed as well.
Some organizations want to retain complete control and have the internal resources to support a Microsoft CA. Some don’t, in which case it’s important to know that these types of public CA integrations exist. The main takeaway here is that Active Directory can be a very powerful tool for deploying PKI, regardless of how you go about doing it.
Want to know more about leveraging Active Directory to automate PKI and facilitate high volume deployments? Check out our recent webinar – “PKI: the Security Swiss Army Knife”!