[00:03] Welcome back with the series: Identifying Identity and Access Management Solutions.
In my very first intro, we know how important the Secure perspective is for our AD environment.
And the core of that is PKI, that will be deployed through Certificate Servers by Microsoft Windows Server, we are going to discover about it.
Especially, some terms of PKI you may early familiar: CRL, etc.
You now should realize that https web pages that you are surfing daily are being ruled by public PKIs.
Moreover, your corp network might have dedicated web application to look up finance detail, online transaction, etc. are being secured by PKI.
[00:16] AD CS -- Active Directory Certificate Services is a Role of Windows Server which provides service for issuing, and managing public-key certificate used in the software security system that employs PKI Public-Key Infrastructure:https:/searchsecurity.techtarget.com/definition/PKI” target=”_new”>>https://searchsecurity.techtarget.com/definition/PKI_
By installing Active Directory Certificate Services (AD CS), you are either creating or extending a Public Key Infrastructure (PKI) via component customizations: CA Web enrollment, Certification authorities (CAs), Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, Network Device Enrollment Service, Online Responder.
[00:56] AD CS provides the certificate infrastructure to enable scenarios such as secure wireless networks, VPNs, IPSec, NAP, EFS, S/MIME, SSL/TLS digital signatures and smart card logon.
Three essential components of the AD CS service include:
Certification authorities (CAs): root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
CA Web enrollment: Web enrollment allows users to connect to a CA by a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
Online Responder: the Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
This is the first CA in our PKI; it must be a Standalone CA to minimize attack surfaces, though MITM attacks are popular even in internal corp networks.
Furthermore, take it offline is another advice that you should find in almost AD CS best practices.
With the integration with AD, an Enterprise CA uses object's information: users/computers from AD database to construct certificates, thus objects are no need enters further certificate info, as well as each certificate, is ready to install and use after requested.
So the issuance and management of certificates can be simplified.
Meanwhile, the Standalone CA is not; it demands objects provide info, require/allow administrators to approve the certificate request manually (this can be automated but not recommended due to requests are not authenticated).
[01:35] More info about CA Types and CA Levels here:
[01:42] "Securing PKI: Planning a CA Hierarchy" -- technet.microsoft.com
The private key in the PKI model is a thing which needs to be kept secret, while the certificate will be public.
Private keys used to encrypt/decrypt data, it can be used to encapsulate new crypto information such as the symmetric key for further data transactions.
We will create the first CA, and we do not have any existing private key, which is associated with a certificate to maintain a restored PKI model in domains/forests.
[01:58] To create a new private key, you must first select a cryptographic service provider (SCP), a hash algorithm, and the key length that is appropriate for the intended use of the certificates that you issue. Selecting a higher value for key length will result in stronger security, but increase the time needed to compute singing operations.
Allow administrator interaction when the private key is accessed by the CA is an option that is typically used with hardware security modules (HSMs). This allows the cryptographic provider to prompt the user for additional authentication when the private key of the CA is accessed.
A certificate will be issued to this CA to secure communications with other CAs and with clients requesting certificates. The validity period of a CA certificate can be based on a number of factors, including the intended purpose of the CA and security measures that you have taken to secure the CA.
[02:16] The certificate database records all certificate requests issued certificates, and revoked or expired certificate. The database log can be used to monitor management activity for a CA.
In fact, do not install CA in DC due to:
After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires a reinstallation of Windows Server.
Reinstallation of Domain Controllers is not to be taken lightly.
Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime).
It is inadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller.
They are serious security risks.
[02:45] "The DOs and DON'Ts of PKI -- Microsoft ADCS" -- kazmierczak.eu
Review your new CA settings at the Confirm Installation Selections: CA Type, CSP, Hash Algorithm, Key Length, Allow CSP Interaction, Certificate Validity Period, Distinguished Name, Database Log Location, etc.
Remember that: "The name and domain settings of this computer cannot be changed after Certificate Authority has been installed."
[02:56] We just built a Standalone Root CA in our AD domain, that is being implemented the PKI.
There are a lot of works to do before that Secure model can operate completely.
Keep in mind that every PKI model must be well-crafted, though it is the most important component in our Security arsenal.
That's why the hierarchical model must be applied, in servers as well as administrator roles.
Check out part 2 about: Install an enterprise subordinate Certification Authority (CA) with the Web Enrollment role service in Additional DC.