Outgrowing the Microsoft PKI Active Directory Certificate Services (ADCS), sometimes also just called the Microsoft CA, has been an easy choice for many organizations as it is well integrated in the Microsoft infrastructure. It supports standard enterprise PKI needs such as securing web servers (TLS), certificate-based authentication (WIFI, Win Logon), digital signatures for documents, encrypting emails (S/MIME). However, PrimeKey’s experience is that many organizations that have been using ADCS for a while get stuck. Organizational changes, operational challenges and new business opportunities can no longer be supported in an effective way. Three of the most common reasons for outgrowing a Microsoft PKI are listed below.
Operational drawbacks – Lack of multi-tenancy support In the Microsoft environment only one CA can be installed per server, which means that if you require multiple CA’s in your domain, you will have to maintain multiple servers. Operational visibility, continuous consistent management and costs per server are obvious drawbacks. PKI and security is an important aspect of many solutions today regardless if the solution involves devices, servers or external/internal users. A multi-tenant solution offers you as an organization the possibility to host multiple use cases (CAs), logically separated, in one single installation. This means that you will be able to grow your PKI solution with your business and sustain long-term cost-effective management and operational flexibility.
Network limitations and high availability constraints Standard PKI configurations normally deploy CAs and VA functions separately on different network segments. Microsoft ADCS is designed differently where these functions (CA and VA) communicate on multiple ports with each other. Using a DMZ for separation is not optimal since such a configuration requires various ports in the firewall to be opened thus compromising network security. The “active-passive” (failover) high availability solution provided by Microsoft is limited due to only one of the servers being active at any given time. Demands for higher performance and/or availability necessitate the implementation of additional high availability servers and HSM modules. Fully scalable database-level cluster solutions have a higher availability and performance compared to the Microsoft PKI solution.
Compliance and regulatory requirements Regulatory requirements or technical guidelines often come from certain industries, countries or when cross border corporation/interoperability is required. There are several common PKI scenarios where ADCS only supports these in a limited way or it is obvious that it is not one of Microsoft’s focus areas. Examples areas are IoT, Smart Metering (TR3109), Code Signing, WebTrust and eIDAS. These solution areas very often require support for certain integration interfaces such as CMP, EST, SCEP, REST, ACME or Web Services. Common criteria certification is required by many customers and also considered an advantage as it facilitates audits including eIDAS, WebTrust and others.
Step by step PKI migration Are you using Microsoft ADCS and consider migrating? No problem, PrimeKey has done this before. Depending on your existing use cases and new requirements the PKI migration strategy might look different but, in most cases, we recommend the following: Start by migrating the existing CAs. Discontinue the old installation. Add/activate new functions, modules and use cases. See the step by step guide below on how to typically migrate your existing Microsoft ADCS installation. Step by step migration
Combine the full flexibility of EJBCA Enterprise with Active Directory EJBCA Enterprise Certificate Autoenrollment add-on