Certificate auto-enrollment is a valuable feature of Active Directory Certificate Services that allows devices to automatically enroll for certificates. Auto-enrollment was first introduced in Windows 2000 to alleviate the problem of manual certificate issuance and renewal and it has been greatly enhanced over time. It relies on a combination of Group Policy Settings and Certificate templates, allowing a Windows client to silently obtain or update certificates for both the user as well as the machine when the user logs on to the domain or the machine connects to the domain to refresh the Group Policy.
There are many benefits of auto-enrollment of user certificates such as:
- Allows users to transparently use the certificates in applications such as smartcard logon, S/MIME, EFS (Encrypted File System), SSL/TLS mutual authentication, and others.
- Drastically reduces the cost of PKI provisioning and the total cost of ownership of a PKI implementation for Windows clients connected to a domain.
All Microsoft Windows machines come with a certificate auto-enrollment client built-in, which significantly eases the task of deploying both machine and user certificates on domain-joined windows machines.
While auto-enrollment has many advantages, there are a few disadvantages of using a Microsoft Certification Authority (CA) with auto-enrollment or using other CAs that don’t support auto-enrollment. Standing up a secure Microsoft CA with a CP/CPS to meet the demands of an enterprise can become very complex, time-consuming, and expensive, not just for the initial deployment but also for regular maintenance tasks to keep the CA keys safe and secure while still allowing the issuance, renewal, and revocation of end-entity certificates. In addition to hardware costs to protect the CA keys, you have to maintain internal PKI expertise as well as validation services to accurately report the status of every issued certificate that has not yet expired.
PKI and Certificate Management: 7 Reasons Why It Is Challenging
AppViewX PKI+ is a ready-to-use, scalable and compliant PKI-as-a-Service that simplifies the complexity of operating a private PKI. PKI+ combined with AppViewX CERT+ provides a centralized solution for modern private PKI and end-to-end certificate lifecycle automation. Leveraging the AppViewX CERT+ integration with native Windows Auto-enrollment, customers can seamlessly provision certificates from AppViewX PKI+, replacing certificates issued from a Microsoft CA, without any additional client footprint. After a brief AppViewX PKI+ and CERT+ setup process, customers simply need to re-configure the Certificate Enrollment Policy to begin requesting certificates from the new AppViewX PKI+ CAs instead of the prior in-house CAs.
Here is a high-level overview of migrating from an internal Microsoft CA to AppViewX PKI+:
1. Sign up for an AppViewX PKI+ subscription
2. Set up Custodians in PKI+
- Key Custodians are responsible for performing key management functions such as creating and revoking CA keys and certificates as well as rotating or deleting keys.
- PKI+ supports the M of N concept for all CA key operations
3. Create the desired CA hierarchy with a Root CA and any number of intermediate CAs
- Requires M of N Custodians to approve the request(s) before the CA is enabled in PKI+.
4. Create certificate templates (in AD) for each type of certificate required, such as servers, workstations, users, or devices.
- If there are existing templates being used with the Microsoft CA server, those can be duplicated for configuration in the next step.
5. Configure the Certificate Policy in PKI+ to define the certificate profile for each Certificate template.
- This allows the enforcement of policy for certificate attributes such as validity, signature algorithm, key usage, and extended key usage.
6. Deploy the AppViewX Cloud Connector and Auto-enrollment Proxy in your local environment
- The Cloud Connector is the conduit for all messages, including certificate requests, from your private corporate network to the cloud-hosted PKI-as-a-Service offered by PKI+.
- The Auto-enrollment proxy receives the requests from clients, extracts the requester entity’s values from Active Directory, and forwards the request to AppViewX where it is signed by the CA of choice.
7. Update the Group Policy
- Modify the Certificate Enrollment Policy in the GPO to use the new CA templates to replace the templates corresponding to the internal Microsoft CA.
As soon as the GPO is applied, the auto-enrollment client on the windows machine will enroll for new certificates from the new CA. Depending on the size of the organization and location of the users and devices, most of the newly configured end-entities will automatically get their certificates the next time they log in to the domain (or when the group policy gets updated if they’re already logged on).
The AppViewX Advantage
With AppViewX PKI+, enterprises can set up a robust and secure certificate authority (CA) hierarchy within minutes, along with other crypto policies, without investing in costly PKI hardware, CA software, or scarce security professionals. As a complete solution, AppViewX PKI+ combined with AppViewX CERT+ provides end-to-end certificate lifecycle automation for provisioning public and private certificates for all modern use cases, from a centralized console.
Sometimes even auto-enrolled certificates may fail to renew and can be hard to detect and isolate. AppViewX CERT+ provides visibility into your entire certificate inventory including alerts so you can remediate issues or security weaknesses before they cause business disruptions.
Secure and Efficient CA Operations
AppViewX PKI+ provides out-of-the-box Custodian Management, enforcing M of N control for CA key operations as well as an OCSP responder.
Custodians are responsible for performing high-security tasks in key management such as creating and revoking CA keys and certificates as well as rotating or deleting keys. AppViewX PKI+ supports the M of N concept, meaning that it requires a minimum number of agents (M) out of the total number of agents (N) to work together to perform high-security tasks. This ensures security and compliance for all CA key operations, ultimately preventing a rogue administrator from compromising the security of the CAs.
AppViewX PKI+ also provides an Online Certificate Status Protocol (OCSP), which is the protocol used to obtain the revocation status of a digital certificate. The OCSP responder allows relying parties and applications to obtain the real-time revocation status of a certificate instead of relying on CRLs, which may not be updated for hours or sometimes days.
AppViewX PKI+ is delivered as a cloud-based service and the powerful certificate lifecycle management (CLM) capabilities of AppViewX CERT+ can either be consumed as a service or deployed in the enterprise network. For connecting to the non-public corporate network segments without poking a hole into the corporate firewall, AppViewX provides a Cloud Connector for both products that need to be installed in the private network.
Modernize and Simplify Your Private PKI
Running an internal Microsoft CA is complex, time-consuming, expensive, and rigid. With AppViewX PKI+ and CERT+, you can streamline the process of replacing your Microsoft CA, and move to a scalable and compliant private PKIaaS with complete certificate lifecycle automation.
Talk to an expert today to learn more about AppViewX’s turnkey PKI-as-a-Service and end-to-end Certificate lifecycle management.