PKI migration – Active Directory Certificate Services, ADCS

Migrate your Microsoft CA to PrimeKey PKI

Outgrowing the Microsoft PKI

Active Directory Certificate Services (ADCS), sometimes also just called the Microsoft CA, has been an easy choice for many organizations as it is well integrated in the Microsoft infrastructure. It supports standard enterprise PKI needs such as securing web servers (TLS), certificate-based authentication (WIFI, Win Logon), digital signatures for documents, encrypting emails (S/MIME). However, PrimeKey’s experience is that many organizations that have been using ADCS for a while get stuck. Organizational changes, operational challenges and new business opportunities can no longer be supported in an effective way. Three of the most common reasons for outgrowing a Microsoft PKI are listed below.

Microsoft CA and EJBCA

Operational drawbacks – Lack of multi-tenancy support

In the Microsoft environment only one CA can be installed per server, which means that if you require multiple CA’s in your domain, you will have to maintain multiple servers. Operational visibility, continuous consistent management and costs per server are obvious drawbacks.

PKI and security is an important aspect of many solutions today regardless if the solution involves devices, servers or external/internal users. A multi-tenant solution offers you as an organization the possibility to host multiple use cases (CAs), logically separated, in one single installation. This means that you will be able to grow your PKI solution with your business and sustain long-term cost-effective management and operational flexibility.

Network limitations and high availability constraints

Standard PKI configurations normally deploy CAs and VA functions separately on different network segments. Microsoft ADCS is designed differently where these functions (CA and VA) communicate on multiple ports with each other. Using a DMZ for separation is not optimal since such a configuration requires various ports in the firewall to be opened thus compromising network security.

The “active-passive” (failover) high availability solution provided by Microsoft is limited due to only one of the servers being active at any given time. Demands for higher performance and/or availability necessitate the implementation of additional high availability servers and HSM modules. Fully scalable database-level cluster solutions have a higher availability and performance compared to the Microsoft PKI solution.

Compliance and regulatory requirements

Regulatory requirements or technical guidelines often come from certain industries, countries or when cross border corporation/interoperability is required. There are several common PKI scenarios where ADCS only supports these in a limited way or it is obvious that it is not one of Microsoft’s focus areas. Examples areas are IoT, Smart Metering (TR3109), Code Signing, WebTrust and eIDAS.  These solution areas very often require support for certain integration interfaces such as CMP, EST, SCEP, REST, ACME or Web Services. Common criteria certification is required by many customers and also considered an advantage as it facilitates audits including eIDAS, WebTrust and others.

Step by step PKI migration

Are you using Microsoft ADCS and consider migrating? No problem, PrimeKey has done this before. Depending on your existing use cases and new requirements the PKI migration strategy might look different but, in most cases, we recommend the following:

  1. Start by migrating the existing CAs.
  2. Discontinue the old installation.
  3. Add/activate new functions, modules and use cases.

See the step by step guide below on how to typically migrate your existing Microsoft ADCS installation.

Step by step migration

ADCS Migration

Comparison Microsoft PKI and EJBCA Enterprise

With this table we strive to give you a clear picture of  important areas where PrimeKey PKI and Microsoft PKI differ. If you have any specific questions about features or functionality, don’t hesitate to contact us.

Microsoft ADCS EJBCA Enterprise
High availability Unreliable support via JET database Can deliver high availability at the database level via Oracle RAC cluster, Maria DB
Custom Extensions No support for custom certificate extensions Can easily support custom extensions
Certificate Profiles Limited number of certificate templates available. New templates cannot be added. Certificate Profiles are flexible and easily implemented. New profiles can be added with ease.
Multi-Tenant solution Not supported on a single Microsoft server No limit on the number of tenants that can be installed on a CA
OS Support Windows Server only Any operating system is supported
Rest API Not available Rich Rest API available
SOAP Web Services Not available Rich WS API available
CMP – RFC 4210, RFC 6712 Support Not available Supported
External, independent OCSP Responder Supported based on the CRL Fully supported including whitelisting of certificates and the support of configurable response options i.e. GOOD or UNKNOWN for certificates not issued by the server
MS Auto Enrollment Supported Supported. PrimeKey provides an MS Auto Enrollment component
Web GUI based RA Limited support Fully supported
Certificate Approvals Limited Support Flexible support
External RA Must be custom built Available out of the box
Certificate Transparency Not supported Fully supported and used
ACME Support Not supported Fully supported
EST Support Not supported Premium support
Fully Supported Available via third parties Delivered directly by the vendor
Custom Development Not available PrimeKey can deliver custom versions of the product and add specific customer enhancements
CVC Support Not available Available
ICAO Standards Support (Travel Documents) Not available Available. PrimeKey is commited to supporting the latest standards in a reasonable time frame.
Peer Connectors Not available PrimeKey products provide peer connectors* for inter component communication between a CA and an RA or a CA and a VA
*Read more about PrimeKey Peer connectors here:

Deployment options – Software, Appliance, Cloud or Hybrid

PrimeKey understands that organizations have unique business challenges, including security requirements, budgets and the availability of internal resources. We give you the choice of and the choice to combine – Software, hardware Appliance and Cloud deployments for your PKI solution. This means the infrastructure can be deployed in the manner best suited to your business needs and can grow flexibly and expand over time.

Your deployment options

Read more about the PrimeKey PKI solution in EJBCA Enterprise

EJBCA Enterprise

Get in touch with us

Fill in your contact information below and we will get in touch with you.

How can we help?

  • Hidden
    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.
Contact us