NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Active Directory Certificate Services

What you will learn from this article

Before we delve into the Active Directory Certificate Services, let us understand certificates. A digital certificate and a traditional certificate have quite a few similarities.

  • The certificates contain the issuing authority’s name. While a traditional certificate contains particulars of a university, organization, or government agency, the digital certificate contains the digital signature of the authority that verified the contents of the certificate. 
  • The name of the person to whom it is granted. While the traditional certificate contains the name of the person/organization to whom it is issued, the digital certificate contains the name of the users or computer or device to whom the certificate is issued.

However, a digital certificate also contains two other pieces of information. One is the validity of the certificate, beyond which the certificate cannot be used. The other field is called the public key, which is used for encrypting data. Digital certificates, thus also called public-key certificates, are used to prove the ownership of the public key. Digital certificates in Active Directory (AD) are managed by a role called Active Directory Certificate Services. In this article, we will take a look at what Active Directory Certificate Services is, and also learn about its various components.

What is Active Directory Certificate Services?

Active Directory Certificate Services (AD CS) is one of the server roles introduced in Windows Server 2008 for facilitating certificate infrastructure which issues and manages public key certificates. The applications supported by AD CS are secure wireless networks, virtual private networks (VPN), Internet Protocol Security (IPSec), Network Access Protection (NAP), Encrypting File System (EFS), smart card logon, etc.

In the earlier versions of Windows Server 2008 R2, AD CS was a forest level resource. Enterprises with multiple Active Directory Domain Services (AD DS) forests had to install certificate authority in each forest where users or computers required automatic enrollment of certificates.

AD CS has the following components for configuration

  • Certification Authority
  • Certification Authority Web Enrollment
  • Online Responder
  • Network Device Enrollment Service
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service

What is a Certification Authority?

The certification authority (CA) in AD CS is used to issue and manage public-key certificates. Multiple CAs can be linked to form a public key infrastructure (PKI). A typical PKI consists of software, hardware, standards, and policies to manage the digital certificates. CA can be of two types:

  • Enterprise CA
  • Stand-alone CA

The enterprise CA must be a domain member and can issue certificates for digital signatures, authentication to access protected web browsers, and secure e-mail transactions. A stand-alone CA does not require Active Directory Domain Services, and it can function offline.

What is Certification Authority Web Enrollment?

The CA Web Enrollment in AD CS allows external clients who are not part of the domain network to connect to the CA via a web browser. CA Web Enrollment only supports interactive requests that the requester creates and uploads manually through the website. The certificate can be downloaded from the browser after the CA issues the certificate. In the case of users who are a part of the domain, the trust relationship allows the CA to issue certificates securely. Web enrollment allows the external clients to request certificates and revoke certificates list from the CA. The enrollment could also be done across forests. This means the clients in one forest can obtain certificates from a CA in another forest. In order to use enrollment across forests, you must establish trust between all the involved forests, and the forest trust and forest level must be set to Windows Server 2008 R2.

What is an Online Responder?

The Online Responder in AD CS receives and processes requests on the status of the certificates. The validity of the certificate and digital signature is verified to identify if the certificate is genuine. In addition to that, the certificate is checked to identify if it is included in the Certificate Revocation List (CRL). Due to various reasons, the certificates can be revoked temporarily or can be stripped of their rights permanently before their validity period by the CA. These certificates are listed in the CRL. Apart from CRL, the revocation checking can also be by Online Certificate Status Protocol (OCSP) response. The OCSP checks the status of the website in question by sending the URL to the Certificate Authority. The Certificate Authority gives a signed response containing the requested certificate’s status.

What is a Network Device Enrollment Service?

The Network Device Enrollment Service (NDES) is a function of AD CS that can issue certificates to network devices managing traffic such as routers, firewalls, and switches. These devices are not Active Directory domain members and thus do not possess exclusive Active Directory credentials. NDES enables one-time enrollment passwords for the network devices. These password requests are sent to the CA for processing and the certificates obtained from the CA are forwarded to the device. Thus NDES service is used by the administrators for authentication of such devices.

What is a Certificate Enrollment Web Service?

The Certificate Enrollment Web Service in AD CS allows users and computers to enroll and renew certificates using the HTTPS protocol. A non-enterprise user or a member who is outside the security boundary of the domain can avail of this service. The Certificate Enrollment Web Service focuses on automated client requests and processes certificate requests with the help of a native client.

What is a Certificate Enrollment Policy Web Service

The Certificate Enrollment Policy Web Service in AD CS allows computers and users to retrieve information about their certificate enrollment policy. The certificate enrollment policy gives the location of the CAs and the types of certificates requested from them. Along with the Certificate Enrollment Web Service, this service will allow policy-based web enrollment to a non-domain client or a member outside a domain. The enrollment policy can be enabled using group policy settings or can be applied individually to client computers. Thus, AD CS service provides an efficient way for managing certificate infrastructure for any entity in a Windows domain network.

Related posts
Active Directory Fundamentals

Active Directory Basics: Everything you need to know

Active Directory Fundamentals

DNS and Active Directory

Active Directory Fundamentals

Microsoft Hello

Active Directory Fundamentals

Microsoft Passport

Leave a Reply

Your email address will not be published. Required fields are marked *