#The 5 Best Practices in Configuring AD CS

Table of Contents

Many businesses rely on Windows servers as the foundation of their IT infrastructures. If these businesses want to use digital certificates on their network, they must first establish a public key infrastructure (PKI). PKIs issue and manage certificates, which can be used for network security, device authentication, and other purposes.

Active Directory Certificates Services (AD CS) is a long-standing Microsoft on-premise PKI solution. However, AD CS can be difficult to use, and many IT administrators have encountered issues when managing PKI and certificates.

Organizations that run on Microsoft platforms can use a Microsoft Certificate Authority (CA) to leverage Active Directory (AD) and AD CS to distribute certificates to all domain-connected devices via group policies. However, if you have managed devices through an MDM, you do not need AD CS to provision certificates to devices.

Nonetheless, if your organization uses AD CS, some best practices follow.

1. Don’t Use Default AD CS Certificate Templates

Before deploying AD CS certificate templates, plan to ensure that only necessary templates are deployed. These templates are intended to be used as building blocks that you can duplicate. Because you can’t create new ones, only modify the duplicated templates and leave the originals alone.

Mark the duplicates with an identifier, such as your organization’s name, to easily identify and group them. By default, Enterprise Admins can manage certificate templates. However, to change this, create a security group and adjust role separations to only admins you’ve approved have access. Additionally, these active directory certificate services best practices are critical because incorrectly configuring your security settings allows an end-user to access any certificate or even create their own, opening the door to theft.

2. Issuing AD CS Certificates on Managed Devices

Because AD CS only natively integrates with GPO, most MDMs will encounter difficulties when attempting to push certificates to their devices. Fortunately, thanks to a technology known as SCEP, you don’t have to configure each of your devices for a certificate manually.

One of the most widely used auto-enrolling managed devices for certificates is the Simple Certificate Enrollment Protocol (SCEP). It enables managed devices to communicate with a PKI without human intervention.

You can also use GPO to achieve a similar result using Microsoft’s WSTEP protocol. Many customers appreciate the flexibility, allowing them to support all of their devices, regardless of MDM easily.

3. Configuring AD CS with Microsoft Azure

Because Azure has limited access to AD CS, you’ll only be able to use a standalone CA for integration purposes, so you’ll need to install one if you haven’t already. After installing the standalone CA, the root CA must be imported as a trusted authority for your domain.

Install Group Policy Management before importing the root CA if you haven’t already. With all of this in order, you can configure the settings for integrating Azure on AD CS. However, building on AD CS may appear counterintuitive given that Azure is a cloud-based platform and AD CS requires on-premises AD domain hardware.

4. Using Private Keys in AD CS

A Key Recovery Agent is required to store private keys on AD CS. You can get one made using a certificate template. Additionally, you can also use the template to store the private keys. All private keys are backed by a Hardware Security Module (HSM), which protects and manages your digital keys most securely. HSMs significantly improve the security of a PKI and are essential when protecting your network with certificates.

AD CS provides the option to “Mark Private Key as Exportable,” which should always be disabled. If it is enabled, any user with access to the private key can export it, and if your security groups are not configured, any user on the network can access this. Unless you have a good reason, leave this option turned off.

However, configuring this in AD CS does not ensure that all devices cannot export their private keys. There is a technology mechanism to prevent private keys from being exported from devices, guaranteeing that certificates don’t end up in the wrong hands and that each certificate represents a real identity.

5. AD CS Certificate Lifecycle Management

You can configure an Auto-Enrollment Policy in Group Policy to have your AD-Domain managed devices renew your certificate before it expires. The disadvantage is that this policy only applies to AD-managed devices. However, this helps integrate with all MDMs, allowing you to apply this policy to all devices.

When a certificate is about to expire, the software will notify the user via email. At least seven email notifications will be sent out at 60-day intervals, beginning 60 days before certificate expiration and ending one day before. You can easily renew certificates with no downtime.

Certificate auto-enrollment is provided by Microsoft and can be configured using GPO. When a device’s current certificate is about to expire, it can automatically enroll for a new one. However, you must first set up an auto-enrollment policy and certificate templates to make this work.

You must set templates with the appropriate permissions, such as Read and Enroll, for this to work. If you’re granting template permissions, use security groups and after configuring the templates, add them to your Enterprise CA to begin auto-enrolment.

On the other hand, the auto-enrollment process is limited to GPO and AD CS certificate templates. If you have non-AD devices or MDMs, the software can integrate with any MDM (Jamf, Airwatch, Mobile Iron, and so on) and push out renewal policies.

Bottomline

The bottom line is that, regardless of how you deploy it, Active Directory Certificate Services can be a very robust tool for deploying PKI. The best practices are guidelines for doing the same thing without making mistakes.

by Jessica Smith

If you liked the article, do not forget to share it with your friends. Follow us on Google News too, click on the star and choose us from your favorites.