Public Key Infrastructure with Active Directory Certificate Services

Table of contents

Active Directory Certificate Services

Active Directory Certificate Services has been available with the name since Windows Server 2008, before that it was only called Root Certification Authority. Certificate Authority). It is used for the creation of an own public key Infrastructure (PKI for short). This can then be used for certificate-based logon to systems, a network policy server with 802.1X or to secure internal web servers with (SSL) TLS certificates for https. There are many possible applications, and these examples are only intended to illustrate the scenarios for which you can use a CA in your own infrastructure.

This is not meant to be an installation guide for ADCS, but to show the basic concept of a CA structure and the advantages but also disadvantages of such a service.

Root Certificate Authority

The root CA is the highest authority in the trust chain. It issues certificates for web servers, for example, with which the web server can prove its identity and authenticity to third parties if the root CA is trusted. This is exactly the behavior we see in our daily web browsing when the green lock is displayed next to the URL.

The browsers have implemented a list of over 100 basically trustworthy CAs. This means that not everyone has to have their own CA and make it known to everyone, but can also use third-party certificates to operate their website with HTTPS. Due to its criticality, a root CA should be very well secured and, in the best case, offline to prevent compromise.


The Subordinate CA

A sub CA is a subordinate certification authority that is mostly used to confirm or issue certificates. Sub CAs can therefore be used as a kind of load balancer. They can also be used for different tasks, for example to separate TLS and S/MIME or for different locations. Sub CAs can also have other sub CAs under them, and the respective parent authority signs the certificates of the subordinate authority, thus creating a chain of trust. This has the advantage that, in the event of a compromise, not all certificates have to be declared invalid, but only those issued by the compromised sub CA. The root CA is therefore only used to create new sub CAs and the certificate revocation list. Certificate Revocation ListCRL).


Here is a picture of the certificate chain of a website.

Domains integration

The ADCS can be integrated very well into an existing domain, but should be very well secured or offline and considered a Tier 0 asset. In a two or more tier hierarchical concept, from an administrative point of view, the entire Public Key Infrastructure is a Tier 0 asset, there are few exceptions such as the certificate revocation list which is placed in Tier 1. The certificates for 802.1X, for example, to gain access to the network can be automatically distributed and renewed using group policies. This means that end devices that are domain-integrated can then be pushed into the correct VLAN fully automatically with the help of the network policy server (NPS for short), which can have a very positive influence on and simplify network separation.


Since server administration is supposed to be simplified by many wizards, especially nowadays, the ADCS can be installed very quickly. The problem with this is that it is also very easy to get many new loopholes and attack vectors into the network if you are not careful and neglect to secure the CA and the PKI. A very nice example is the combination of the PetitPotam exploit with a relay attack against the CA and the resulting complete compromise of the entire domain.


By having my own certificate authority or public key infrastructure, I can provide my local services such as web applications with certificates that are trusted within my own structure. This makes it more difficult for attackers to successfully carry out a Man in the Middle attack, for example, since the encryption would have to be broken and the certificates exchanged. With your own certificates, however, you can also upgrade Network Access Control (NAC) via 802.1X and exchange username and password for certificates. However, it is important to secure the Tier 0 asset, which is a CA. This is because an attacker can use it to privilege himself and also create persistence in the network. Even if the implementation of ADCS can increase security, an administrative effort is necessary to set it up securely and manage it continuously.


Table of contents

Do you want to be part of our team?