NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Active Directory Certificate Services

What is a Certificate

Before we delve into the Active Directory Certificate Services (AD CS), let us understand certificates. A digital certificate and traditional certificate have quite a number of similarities. 

  • The certificates contain the issuing authority’s name. While a traditional certificate contains particulars of an university, organization or government agency, the digital certificate has details of the issuing authority. However, the authority who has issued the certificate must be a trusted source. 
  • The name of the person to whom it is granted. While the traditional certificate contains the name of the person/organization to whom it is issued, the digital certificate contains the name of the users or computer or device to whom the certificate is issued to.
  • Additionally, a digital signature is present, not unlike the seal in the traditional certificate which proves that the certificate is legit. 

Another key field is the validity of the certificate, beyond which the certificate cannot be used. The difference between a traditional certificate and an digital certificate is the addition of another field called public key. The latter can be used as a public key for encrypting the data which can be decrypted only be the end user who has the key. 

AD CS is one of the server roles introduced in Windows Server 2000 facilitating certificate infrastructure which issues and manages public key certificates. The applications supported by AD CS are secure wireless networks, virtual private networks (VPN), Internet Protocol Security (IPSec), Network Access Protection (NAP), Encrypting File System (EFS), smart card logon, etc.

In the earlier versions of Windows Server 2008 R2, AD CS is a forest level resource. Enterprises with multiple Active Directory Domain Services (AD DS) forests had to install certificate authority in each forest where users or computers required automatic enrollment of certificates.

AD CS has the following components for configuration

  • Certification Authority
  • Certification Authority Web Enrollment
  • Online Responder
  • Network Device Enrollment Service
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service

Certification Authority

A certification authority (CA) is used to issue and manage public key certificates. Multiple CAs can be linked to form a public key infrastructure (PKI). A typical PKI consists of software, hardware, standards, and policies to manage the digital certificates. CA can be of two types: enterprise CA and stand-alone CA. The enterprise CA must be a domain member and can issue certificates for digital signatures, authentication to access protected web browsers, and secure e-mail transactions. A stand-alone CA does not require Active Directory Domain Services and can function offline.

Certification Authority Web Enrollment

The CA Web Enrollment allows external clients who are not part of the domain network to connect to the CA via web browser. CA Web Enrollment only supports interactive requests that the requester creates and uploads manually through the web site. The certificate can be downloaded from the browser after the CA issues the certificate. In case of users who are a part of the domain, the trust relationship allows the CA to issue certificate securely. Web enrollment allows the external clients to request certificates and revoke certificates list from the CA. The enrollment could also be done across forests. This means the clients in one forest can obtain certificates from a CA in another forest. In order to use enrollment across forests, you must establish trust between all the involved forests, and the forest trust and forest level must be set to Windows Server 2008 R2.

Online Responder

Online Responder receives and processes requests on the status of the certificates. The validity of the certificate and digital signature is verified to identify if the certificate is genuine. In addition to that, the certificate is checked to identify if it is included in the Certificate Revocation List (CRL). Due to various reasons, the certificates can be revoked temporarily or can be stripped off its rights permanently before its validity period by the CA. These certificates are listed in the CRL. Apart from CRL, the revocation checking can also be by Online Certificate Status Protocol (OCSP) response. The OCSP checks the status of website in question by sending the URL to the Certificate Authority . The Certificate Authority gives a signed response containing the requested certificate’s status.

Network Device Enrollment Service

The Network Device Enrollment Service (NDES) is a function of AD CS which can issue certificates to network devices managing traffic such as routers, firewalls, and switches. These devices are not Active Directory domain members and thus do not possess exclusive Active Directory credentials. NDES enables one-time enrollment passwords for the network devices. These password requests are sent to the CA for processing and the certificates obtained from the CA are forwarded to the device. Thus NDES service is used by the administrators for authentication of such devices.

 Certificate Enrollment Web Service

The Certificate Enrollment Web Service allows users and computers to enroll and renew certificates using HTTPS protocol. A non-enterprise user or a member who is outside the security boundary of the domain can avail this service. The Certificate Enrollment Web Service focusses on automated client requests and processes certificate requests with the help of a native client. 

Certificate Enrollment Policy Web Service

The Certificate Enrollment Policy Web Service allows computers and users to retrieve information about their certificate enrollment policy. The certificate enrollment policy gives the location of the CAs and the types of certificates requested from them. Along with the Certificate Enrollment Web Service, this service will allow policy-based web enrollment to a non-domain client or a member outside a domain. The enrollment policy can be enabled using group policy settings or can be applied individually to client computers.

Thus AD CS service provides an efficient way for managing certificate infrastructure for any entity in Windows domain network.

Related posts
Active Directory Fundamentals

Active Directory Fundamentals

Active Directory Fundamentals

DNS and Active Directory

Active Directory Fundamentals

Microsoft Hello

Active Directory Fundamentals

Microsoft Passport

Leave a Reply

Your email address will not be published. Required fields are marked *