Editor's Note: This post was originally published in September 2016 and has been updated by GlobalSign Regional Product Manager Sebastian Schulz to provide additional details about the benefits of AD CS.
Countless organizations use Windows Server as the foundation of their IT infrastructure. Countless organizations also use PKI for various security needs (such as; securing web servers [SSL], certificate-based authentication, digital signatures for documents, encrypting emails [S/MIME]). However, we’re often surprised to learn how many people aren’t aware that the two can be connected. Enter Active Directory Certificate Services (AD CS).
What is Active Directory Certificate Services (AD CS)?
According to Microsoft, AD CS is the “Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.”
There’s a little bit to unpack here. If you dabbled with public key infrastructure (PKI) before chances are that you realize that you don’t need AD CS to build a CA. And certificates for signatures as well as so many other use cases are readily available online as well. So why bother with AD CS? The clue here is the word “provide.” Truth is, it’s relatively simple to create your own CA and sign a handful of certificates with tools such as OpenSSL. You could also buy a few certificates from a CA like GlobalSign and install them manually. But AD CS does more than that. It allows your organization to distribute certificates from a CA at large scale, for companies with thousands of employees and possibly even more machines. How does it do that?
As its name would imply, Active Directory is a directory service for Windows domain networks. Therefore, the cornerstone of each Active Directory implementation are Active Directory Domain Services (AD DS). AD DS will store information about users, computers, and groups within a domain (such as globalsign.com) but also verify their credentials and set access rights. Like every employee of a company is registered with HR and has a file detailing all his or her relevant information, AD DS maintains this information for members of the domain. AD DS being the fundamental directory, information that is registered to this directory may be leveraged by other Active Directory services – such as AD CS.
Benefits to Using AD CS
Using AD CS provides a number of benefits, mostly around certificate administration.
- Pull from Active Directory – You can use the existing endpoint identity information that exists in AD to register for certificates (to avoid re-registering). This means that users and computers registered to your AD can have their information automatically inserted into certificates. No one would want to manually apply for all those, right?
- Leverage Existing Group Policy – You can configure AD Group Policies (rules for groups of particular users defined in AD, e.g. all employees working in Accounting) to dictate which users and machines are allowed which types of certificates. This is great to implement role- or attribute-based access control.
- Automate Certificate Provisioning and Lifecycle Management – Once an endpoint comes online for the first time, a request is sent to AD to check which certificate types (called templates) the endpoint has access to based on the Group Policy. Based on the results of that request, the endpoint requests the appropriate certificates, which are then sent back to the endpoint and installed. Certificates can be set to automatically renew, as often as you like. This allows you to use short-lived certificates while eliminating the worry over unexpected expiration and gaps in coverage.
- Silent Installation – As hinted above, the installation process is automatic and doesn’t require any end user (or IT) intervention. PKI can be a nightmare at scale, unless you really have your automation on point. AD can help big time!
The Downside to Active Directory Certificate Services (AD CS) – Running Your Own CA
Now after the benefits outlined above, you may be thinking, “Sign me up!” But we can’t really talk about AD CS without discussing the other critical element to this type of PKI set-up – the internal CA (i.e. Microsoft CA) that provisions the certificates. AD CS is kind of the waiter in the scenario discussed above, taking requests from endpoints and delivering the appropriate certificates – and it is an excellent waiter! It’s the “kitchen” (i.e. Microsoft CA) that can be a bit of a headache to manage.
We’ve covered the disadvantages of running an internal CA in the past, but they generally boil down to the same arguments you always face when trying to decide between outsourcing or handling internally. Think about it. Would you dedicate time, money and resources on developing an internal CRM? Or would you use one of the many readily available, SaaS options that were designed by experts?
And since it’s much more complex than a CRM, PKI brings additional considerations to the discussion as well. Here are just a few examples:
- Hardware Costs – You need to protect and store your root and signing private keys on secure hardware (e.g. Hardware Security Module or HSM).
- Maintaining Validation Services – You need to ensure you have a way to check certificate validity, such as updating CRLs, keeping CRLs, and running OCSP services. These can pose an even greater challenge than distribution and lifecycle management of certificates. If another party wants to check the validity of your certificates, CRLs and OCSP responders need to be 24/7 available all over the world.
- Internal PKI Expertise – PKI is complex and best practices are continually evolving. Senior PKI professionals are difficult to come by and may not come cheap either. How do you make sure your PKI is safe? How will you ensure you maintain compliance? How do you adapt to changes in cryptographic standards?
Best of Both Worlds: An Active Directory Integration from a Third-Party CA
Now for a long time (some people may still think this), the only way to leverage Active Directory for PKI and get all those awesome benefits was to use AD CS and run your own CA – but times have changed! A few public CAs, such as GlobalSign, now offer integrations with AD that give you the same administration and automation benefits without the need to manage a CA internally.
With these integrations, you can still leverage AD and Group Policy for certificate registration and assignments, but certificate requests are sent and responded to by the public SaaS-based CA. Certificates can still be automatically provisioned, renewed and silently installed as well.
Some organizations want to retain complete control and have the internal resources to support a Microsoft CA. Some don’t, in which case it’s important to know that these types of public CA integrations exist. The main takeaway here is that Active Directory can be a very powerful tool for deploying PKI, regardless of how you go about doing it.
Visit our website to learn more about leveraging Active Directory to automate PKI and facilitate high volume deployments.