Active Directory Certificate Services in Modern IT

Todd Beldham

Introduction

Evaluating the merits and limitations of relying on Active Directory Certificate Services (AD CS) for all certificate-related needs in modern IT highlights that AD CS was fundamentally designed for on-premises deployment. Since its introduction in Windows 2000, it has successfully served private and public organizations as a critical solution for certificate delivery. However, the demands of modern IT present practical reasons to explore alternatives that are better suited to the contemporary landscape, which is increasingly decentralised, cloud-based, API-focused, and broadly adopting containerisation and related workloads.

Key Reasons to Consider Replacing AD CS

Modern Deployment and Cloud Integration:
  • AD CS struggles with containerisation, automation, and cloud-native applications due to its stateful nature and tight integration with Active Directory.
  • Hybrid deployments that span both on-premises and cloud environments are inherently complex and require additional tools and configurations.
Security and Multi-Tenancy:
  • Ensuring AD CS maintains its security posture in containerised environments requires careful planning.
  • Its single-tenant architecture makes it unwieldy and costly at scale, leading to CA proliferation and complex management.
Post Quantum Compatibility:
  • Current versions of AD CS lack support for post-quantum cryptography (PQC) (but it is coming!).
  • As quantum computing advances, traditional cryptographic algorithms like RSA and ECC are becoming vulnerable to quantum attacks.
  • AD CS has not yet integrated PQC algorithms, posing a significant risk for future-proofing security.
Operational and Evolutionary Challenges:
  • Managing AD CS is resource-intensive, and it hasn’t significantly evolved since 2012.
  • It lacks support for IoT devices and connected vehicles.
  • Misconfigurations by sysadmins can introduce vulnerabilities.
High Availability and Scalability:
  • AD CS does not support active-active clustering and struggles to scale for millions of certificates.
  • Its lack of multi-cloud and multi-OS support limits adaptability.

Management:

  • The built-in AD CS tools are limited, lacking sufficient capabilities for tracking and reporting certificates.
  • They do not support automation, such as integrating the deployment and installation of certificates to applications and hosts.

API and Automation Limitations:

  • AD CS lacks comprehensive API support and integration with widely supported protocols like ACME, EST and REST, limiting automation opportunities.

Migration and Compatibility Issues:

  • As workloads move to the cloud, the relevance of AD CS diminishes due to its deep integration with Active Directory.
  • Its stateful nature and tight integration with AD for authentication, authorization, and certificate management make it challenging to decouple from AD.
  • Managing stateful services in containers requires additional orchestration and storage solutions.

Dependency on RPC:

  • AD CS’s reliance on RPC/DCOM for certificate requests necessitates multiple ports, complicating firewall management and cloud integration.

Newer Use Cases:

  • AD CS does not support emerging use cases like SSH certificates and Vehicle-to-Everything (V2X).

Evolving Security and Native Support:

  • Security requirements have evolved, necessitating effective monitoring and the avoidance of misconfigurations.
  • Misconfigurations in AD CS can lead to vulnerabilities such as excessive permissions, template misconfigurations, and inadequate access controls.
  • AD CS does not natively support containerisation or modern orchestration tools like Kubernetes, necessitating custom solutions for these environments.

Mitigations and Merits

Let’s review if mitigations exist for that comprehensive list.

Hybrid Deployment Support:

  • Microsoft has enhanced AD CS’s hybrid capabilities to address its limitations.
  • A hybrid deployment integrates on-premises AD CS with cloud-based services like Microsoft Entra, leveraging both environments.
  • Certificates for cloud services are issued by a combination of on-premises AD CS and cloud-based services.
  • The “Hybrid Certificate Trust” model ensures certificates issued by AD CS are trusted across both environments, enabling seamless authentication and secure communication.
  • Azure Key Vault provides certificate authority services, creating and managing certificates issued by public CAs or self-signed certificates.

Security Enhancements:

  • Microsoft is continually improving AD CS security features.
  • Windows Server 2025 updates include new Kerberos features to minimize NTLM use, enhancing AD environments’ overall security.

Modernisation:

  • Although AD CS isn’t natively designed for containerisation or microservices, Microsoft provides guidance and tools for modernisation.
  • This includes leveraging Azure for hybrid deployments and using automation tools to streamline AD CS management.

Post-Quantum Readiness:

  • Microsoft is preparing for quantum computing by integrating PQC algorithms into AD CS.
  • Updates to SymCrypt and CNG support PQC algorithms, enabling AD CS to issue and manage quantum-resistant certificates.
  • Transitioning to TLS 1.3 is emphasized for using quantum-safe key exchange and authentication methods.

Active Directory Autoenrollment:

  • On the merit side, although the deep integration with Active Directory can limit support for newer technologies like containerisation, it also enables automated certificate enrolment for Active Directory-enabled objects, such as workstations and servers, by leveraging Active Directory group policy.

Web Enrolment Services:

  • Similarly, although AD CS does not natively support REST APIs, third-party solutions and projects provide REST API interfaces for AD CS, enabling systems outside an Active Directory domain to request certificates via REST API calls. Additionally, the Certification Authority Web Enrolment service offers web pages that enable users to perform certificate tasks, such as requesting and renewing certificates.

Exploring Alternatives with 10 Important Considerations

If these mitigations and merits aren’t deemed sufficient due to the fundamental lack of support for modern deployment methods like containerisation and integration with orchestration and automation technologies, here are 10 important considerations to be kept in mind:

1. Certificate Lifecycle Manager (CLM):

  • Seek features such as automated discovery, renewal, and deployment of certificates to reduce manual effort and minimize errors.
  • Ensure integration with popular orchestration tools, which will be facilitated by broad API support.
  • The CLM should have the capability to integrate seamlessly with any existing AD CS infrastructure.

2. Comprehensive Visibility:

  • Ensure the solution provides robust discovery tools to locate all certificates across various platforms, including servers, load balancers, firewalls, containers, and multi-cloud environments.

3. SaaS-Based Certificate Management Solution:

  • Assess whether the vendor(s) offer a fully-featured SaaS solution that meets your organisation’s security requirements and use cases, helping to offload operational burden while providing scalability and flexibility.

Note of caution: While Cloud PKIs can simplify processes, they may also hide underlying complexities and depend on custom scripts. Additionally, keep the following in mind:

  • Migration Challenges: Difficulties in moving from one provider to another.
  • Business Continuity: Risks if the provider ceases operations.
  • Provider Decisions: Potential conflicts with your requirements.

4. PQC Support:

  • Provides support for post-quantum cryptography.

5. HSM Support:

  • Seamless integration with common industry Hardware Security Module (HSM) solutions.

6. Integration with Existing Infrastructure:

  • The solution should integrate with your existing systems, including Active Directory, cloud services, and orchestration tools like Kubernetes.

7. Scalability:

  • Choose a solution that can scale with your organization’s growth, managing an increasing number of certificates and supporting multi-cloud and multi-OS environments.
  • Assess whether the solution supports multi-tenant configurations and the distribution of core Public Key Infrastructure (PKI) components, such as Registration Authorities (RA) and Certificate Authorities (CA), to provide robust security and flexible deployment options in complex and segmented network environments.
  • Can the CA handle issuing certificates at the required rate?

8. Security and Compliance:

  • The solution should provide comprehensive security features, including policy governance, compliance monitoring, and the capability to manage root of trust certificates.

9. User Interface and Experience:

  • A user-friendly interface and intuitive user experience are essential for efficient management and ease of use.

10. Assurance and Governance:

  • Audited against stringent standards such as PCI DSS and holding recognized certifications like Common Criteria.

Conclusions

While your AD CS implementation may have effectively met past requirements, it’s essential to assess whether it aligns with current needs. If there’s a significant gap between what is delivered and what is required, consider the following options:

Supplementation:

  • Enhance AD CS by integrating it with CLM technology to incorporate features like automation, visibility, and compliance.

Replacement:

  • Take a more holistic approach and replace AD CS to better meet your current requirements by transitioning to a SaaS platform that supports a cloud-first strategy. Note that SaaS solutions include functionality that enables connectivity to AD CS servers, which can either be placed into continued service or serve as a migration stage before implementing newer SaaS private CAs.

Test

Leave a comment