Skip to content

PKI AD CS

Active Directory Certificate Services project description: 

Active Directory Certificate Services project will implement Public Key infrastructure using Microsoft Active Directory Certificate Services and a Hardware Security Module (which can be on-premise physical device or Hardware Security Module as a Service (HSMaaS) hosted in the Azure Cloud) for secure key storage. Leveraging internal Active Directory Integrated Certificate Services (AD CS) certificates provides enhanced security, simplified certificate management, and interoperability with Microsoft technologies, contributing to a more secure and efficient IT infrastructure. 

This project can also be combined with our PKI Project, where we offer certificates signed by DigiCert (DigiCert Class 2 Certificates), which are, by default, trusted by most existing operating systems. 

The most common use cases for using internal certificates are:

  • Windows endpoints (Client Certificates) ensure secure communication between endpoints and servers.
  • User Authentication ensures user authentication and/or 2nd level of authentication between the user and internal systems.
  • TLS-Webserver – ensuring internal TLS/SSL secure communication to the internal systems/webservers
  • Domain Controllers – securing internal connections to Active Directory Domain Controllers
  • Radius and Wi-Fi devices—provides certificates for the RADIUS Servers and internal devices connected to enterprise Wi-Fi. The use case can also be combined with device certificates guaranteeing that only internal devices (laptops) connect to the Enterprise Wi-Fi. Using this use case, we also facilitate the certificates needed for different wireless devices connected to wireless networks (TVs, Kiosk devices, iPads used by customers, etc.).
  • iPSec – usage of the internal certificates on routers, switches, servers, and client devices, ensuring network traffic is encrypted

Active Directory Certificate Services project implementation approach:

We will follow Microsoft’s best practice recommendation for deploying Active Directory Certificate Services (AD CS), which involves having a standalone offline root CA and one or more subordinate CAs integrated with Active Directory. This approach provides additional security by isolating the root CA’s private key from the domain environment. 

Following this approach, the subordinate CA (which is integrated with the Active Directory) will also be integrated/connected to the HSM Module to secure the keys’ storage. 

Digital Sovereignty across the Hybrid Environment uses private keys to secure data no matter where it is stored.

Active Directory Certificate Services project in-scope:

  • Order, implement, and configure HSM Module (if physical device than Racking and Stacking)
  • Design Active Directory Certificate Service for internal certificates
  • Detail the agreed in-scope use cases 
  • Implement and configure HSM Module (Physical or Cloud-based hosted in Azure)
  • Configure AD CS
  • Roll-out certificates

 Provide support during the initial autoenrollment of Windows Computer Certificates based on the predetermined GPO and certificate template. Support during the initial autoenrollment of Windows User Certificates based on the predetermined GPO and certificate template. Provide support during the enrolment of the initial TLS Certificates based on the manual request process and associated certificate template.

Active Directory Certificate Services project required hardware and software:

Hardware: 

N/A

Software:

N/A

Active Directory Certificate Services project pre-requirements:
  • Defined PKI use-cases