Enhanced Windows PKI



Extend your Microsoft CA Features


A Microsoft CA (ADCS) can easily be deployed. However, it is missing convenient certificate management options or user self-services or advanced features like private key distribution or auto-revocation. 

Windows PKI – Deploy, use & manage a Microsoft CA

Many organizations are operating an inhouse PKI on the basis of a Microsoft CA. With such a Windows PKI you can issue and manage X.509 certificates for Windows users, services like web servers or domain controllers or devices like PCs, routers or smartphones. The basis for a Windows PKI is provided by a Windows Server and the contained Active Directory Certificate Services (AD CS). With a Windows PKI you can distribute certificates at low cost and transparent to the user using autoenrollment or by manual processes with enrollment agents and a certificate manager.


A Windows PKI scales well and offers a series of services and options. A Microsoft CA can be setup with a few of mouse clicks. However, often will unplanned installations by administrators with limited PKI experiences result in a system state that can hardly be corrected afterwards. Therefore, it is highly recommended to utilize the expertise of experienced PKI consultants from a point of view of IT security as well as from an economical standpoint

Challenges for ADCS

Outdated user interfaces

ADCS provides old-style Windows dialogs or even command-line tools for the management of the issued certificates. This can be handled only by experienced experts. Except for a sparse web-registration, no user self-service is provided.

Missing server automation

The Microsoft CA has no support for the standardized and well adopted ACME protocol for SSL/TLS server certificate automation. Linux based servers as Apache or Tomcat have no support and even IIS certificate enrollment is difficult with native mechanisms.

Poor support for private keys

ADCS allows the archival of private keys. The recovery process is very awkward and there is no option for a secure automated distribution of recovered private keys to a user's devices like his smart phone.

No option for auto-revocation

Large companies with a five or six digit number of certificates have a strong need for the automated revocation of orphaned certificates for security and organizational reasons. Computers are decommissioned, users leave the company or change their names but their old certificates are still valid and can be used.

The SECARDEO solution

Web-based management

You can perform certificate management tasks comfortably with your browser and divide responsibilities to specific roles in AD. A convenient self-service is provided for server administrators and ordinary users.

ACME support for SSL/TLS

Add an ACME proxy service to the Microsoft CA for the enrollment of server certificates by popular ACME clients based on HTTP or DNS challenges. Additional security features and optional support of AD templates provide a reliable service.

Push private user keys to devices

Private keys of your users can manually or automatically be recovered from the CA database and they can be pushed to the user's mobile devices via a secure e-mail based procedure or by your MDM as Intune.

Auto-revocation

Your Active Directory is regularly monitored for object removals or changes in configured object attributes and revocation requests will be submitted to your Microsoft CA for corresponding user or computer certificates.

Implementation

The Secardeo TOPKI platform provides components that are tightly integrated with Active Directory and Certificate Services. The components make use of AD certificate templates, users, groups and permissions. All certificates in the MS CA database can be synchronized automatically into the TOPKI database. This enables the web based management and self-services of certificates that are issued by ADCS. Access to certificate services is done using the DCOM certificate management interfaces. Auto-recovery of private keys from the CA database and distribution to user devices can be performed by using Key Recovery Agent certificates. Auto-revocation is done by monitoring AD objects and submitting revocation requests to ADCS. Auto-enrollment for SSL/TLS certificates to web servers can be achieved by integrating an ACME proxy via DCOM or HTTP web enrollment interface.


We have supported a series of medium and large companies all around the world during all these stages. Our in-depth knowledge of Microsoft PKI concepts and mechanisms helps you to accelerate your PKI project and to assure the quality of PKI operation.



The following TOPKI components will offer you additional PKI features that will enhance your Windows PKI and increase its benefits significantly:

Proxy for the automatic enrollment of server, client or device certificates using the standard ACME protocol. 

Service for certificate lifecycle management, discovery, central autoenrollment, self-services, notifications and REST API. 

Key Recovery and Distribution service for provisioning user keys from a central key archive to mobile or MDM-managed devices.

Service for automatic revocation of orphaned certificates from AD objects by certEP or a Microsoft CA.

Certificate Directory Server for securely publishing internal S/MIME certificates and retrieving external certificates globally.

Certificate Enrollment Proxy for native Windows certificate autoenrollment from non-Microsoft CAs on-premise or in the Cloud.

EAS Proxy for retrieving recipient certificates from a global directory server to mobile devices for end-to-end S/MIME encryption.

We support you for your Windows PKI

  • by introductory Windows PKI workshops
  • by planning and technical & organizational PKI concepts
  • by developing a Certificate Policy and Practice Statements
  • by implementation of your Microsoft CA
  • by operational support and monitoring
  • by analyzing and auditing a running Microsoft PKI
  • by powerful extensions with our TOPKI components

Resources