Migrating from Microsoft Certification Authority to AppViewX Public Key Infrastructure-as-a-Service (PKIaaS) with Windows Auto-enrollment

Introduction

Certificate auto-enrollment was introduced in Windows 2000 to alleviate the problem of manual enrollment and renewal. It has been enhanced greatly since its introduction. It relies on a combination of Group Policy Settings and Certificate templates, allowing a Windows client to silently obtain or update certificates for both the user as well as the machine when the user logs on to the domain or the machine connects to the domain to refresh the Group Policy.

There are many benefits of auto-enrollment of user certificates

  • Allows users to transparently use the certificates in applications such as smartcard logon, S/MIME, EFS (Encrypted File System), SSL/TLS mutual auth, and others.
  • Drastically reduces the cost of PKI deployments and the total cost of ownership of a PKI implementation for Windows clients connected to a domain.

All Microsoft Windows machines come with a certificate auto-enrollment client built-in, which significantly eases the task of deploying both machine and user certificates on domain-joined windows machines.

The Problem

While auto-enrollment has many advantages, there are a few disadvantages of using a Microsoft Certification Authority with auto-enrollment or using other CAs that don’t support auto-enrollment. Standing up a secure Microsoft CA with a CP/CPS to meet the demands of an enterprise can become very complex, time-consuming and expensive, not just for the initial deployment but also for regular maintenance tasks to keep the CA keys safe and secure while still allowing the issuance, renewal and revocation of end-entity certificates. In addition to hardware costs to protect the CA keys, you have to maintain internal PKI expertise as well as validation services to accurately report the status of every issued certificate that has not yet expired.

The Solution

AppViewX PKIaaS addresses these shortcomings by utilizing Google Cloud’s Certificate Authority Service (CAS) to provide easy PKI deployment and maintenance without any additional hardware costs, end-to-end control of the certificates and keys, rapid upward scaling and the use of modern technology.

PKIaaS natively includes support for the in-built Windows auto-enrollment client for both servers and workstations, allowing customers to quickly and seamlessly deploy certificates from the new Google Cloud hosted CA to replace the certificates issued from the old internal CA, without any additional footprint on the target windows machine. All that needs done after setting up the PKIaaS subscription and creating the CA hierarchy is to simply re-configure the Certificate Enrollment Policy to request certificates from the new CA instead of the old CA.

High-level overview of migrating from an internal Microsoft CA to Google CAS with AppViewX PKIaaS

  1. Sign up for a PKIaaS subscription with AppViewX
    • You can sign up for a free trial post June 15, 2022 here if you are not already an AppViewX customer
  2. Set up Custodians in PKIaaS
    • Key Custodians are responsible for performing key management functions such as creating and revoking CA keys and certificates as well as rotating or deleting keys.
    • PKIaaS supports the M of N concept for all CA key operations
  3. Create the desired CA hierarchy with a Root CA and any number of intermediate CAs
    • Requires M of N Custodians to approve the request(s) before the CA is enabled in Google CAS.
  4. Create certificate templates (in AD) for each type of certificate required, such as servers, workstations, users or devices.
    • In case there are existing templates being used with the Microsoft CA server, those can be duplicated for configuration in the next step.
  5. Configure the Certificate Policy in PKIaaS to define the certificate profile for each Certificate template.
    • This allows the enforcement of policy for certificate attributes such validity, signature algorithm, key usage and extended key usage.
  6. Deploy the AppViewX Cloud Connector and Auto-enrollment Proxy in your local environment
    • The Cloud Connector is the conduit for all messages, including certificate requests, from your private corporate network to the cloud hosted PKIaaS.
    • The Auto-enrollment proxy receives the requests from clients, extracts the requester entity’s values from Active Directory, and forwards the request to AppViewX where it is signed by the CA of choice.
  7. Update the Group Policy
    • Modify the Certificate Enrollment Policy in the GPO to use the new CA templates to replace the templates corresponding to the internal Microsoft CA.

As soon as the GPO is applied, the auto-enrollment client on the windows machine will enroll for new certificates from the new CA. Depending on the size of the organization and location of the users and devices, most of the end-entities configured to get a new certificate will automatically get their certificates the next time they logon to the domain (or when the group policy gets updated if they’re already logged on).

What is AppViewX PKIaaS?

AppViewX PKIaaS is a turn-key solution for all enterprise PKI needs – Key management, Certificate issuance and certificate lifecycle management (CLM). It is delivered via AppViewX CERT+ that combines PKI as well as CLM functionalities. The solution can be consumed as a service (SaaS) or can be deployed in enterprise network in public clouds, private clouds or private data centers. All the certificate authority (CA) creation, CA management, certificate issuance and certificate management functions are available in a single cloud console. It not just simplifies the CA infrastructure part but also facilitates complete certificate lifecycle management (CLM) functionality and end-to-end automation.

With PKIaaS, enterprises can easily setup a robust and secure certificate authority (CA) hierarchy as well as other crypto policies without investing in costly PKI hardware or scarce security professionals – enterprises do not even need to purchase CA software.

Sometimes even auto-enrolled certificates may fail to renew and can be hard to detect and isolate. The AppViewX platform gives you visibility and alerts into all such occurrences through the CERT+ platform so that such occurrences, rare as they may be, don’t disrupt the business.

Tags

  • certificate lifecycle management
  • Certification Authority
  • Microsoft Certification Authority
  • PKI
  • pkiaas
  • Windows Auto-enrollment

About the Author

Related Articles

Combatting Rising Ransomware Attacks Targeting Security Weaknesses In Public Schools

| 4 Min Read

Securing The Critical Power And Utility Sector With PKI

| 6 Min Read

Migrating from Microsoft Certification Authority to Google Cloud Certificate Authority Service with AppViewX Certificate Lifecycle Management-as-a-Service (CLMaaS) & Windows Auto-enrollment

| 4 Min Read