Active Directory Certificate Services - Digital Certificate Overview
In that article, we took a deep dive on the basic concepts of Cryptography and Digital Certificate. We discussed how a secure communication can be performed using Digital Certificate. Finally, we introduced Enterprise PKI and compared it with External PKI.
In this article, we will take a deep dive on ADCS , and how it provides a complete solution of the Enterprise PKI need. We will also discuss concepts and terminologies associated with ADCS.
When you are going to deploy an Internal CA server, you have the option of deploying Standalone CA or Enterprise CA.
Following are the key differences between Standalone CA and Enterprise CA.
The most common approach is to use a combination of both, which is as follows :
The Enterprise PKI hierarchy starts with the Root CA , also referred as the Trusted Root CA. Root CA is the first CA which needs to be deployed while designing a new PKI environment, and it is the top of the certification hierarchy.
Since Root CA is the top of the certification hierarchy, the certificate is issued to Root CA by the Root CA itself. In other words, the certificate which is issued to the Root CA is a self sign certificate.
In a certificate hierarchy, Root CA Certificate is the only certificate which is self signed. All other Certificate must be issued either by Root CA or Subordinate CAs.
A typical Enterprise PKI environment follows this approach :
The Root CA is kept offline for security reason. Root CA is the most critical server of the CA hierarchy. It is also one of the most critical server for the entire organization. This is because if the private key of the Root CA is compromised by external attackers, the entire PKI and all certificates issued by that PKI would be compromised and would be invalid.
In Windows certificate Store, the root certificate is stored under "Trusted Root Certification Authorities" Store.
In a PKI environment, all CAs which are not Root CA are called subordinate CAs.
The exact number and hierarchy of subordinate CAs depends on the PKI design. There can be only one layer of subordinate CAs which directly report to Root CA, or in a large and complex environment there can be multiple layers of subordinate CAs.
In general, the subordinate CAs are deployed in two different layers , which are :
Intermediate CAs are subordinate CAs, which directly seats under the Root CA.
Intermediate CAs act as a layer between Trusted Root CA and Issuing CAs. As Root CA is extremely critical, it just issues certificate to Intermediate CAs , which in turn issue certificates to issuing CAs. This is called "Certificate Trust Chain" which we will discuss in the upcoming section.
Intermediate CAs are also used a Policy CAs, which dictates what kind of certificates can be requested from the Root CA.
In Windows certificate Store, the root certificate is stored under "Intermediate Certification Authorities" Store.
These are the CAs which are deployed to issue certificates to end users , computers and applications.
In a large PKI environment, there are more than one issuing CAs, each playing a specific role. Example: Infrastructure CA , User CA and so on. While Infrastructure CA will issue Certificates to computers, devices and applications; User CA would issue certificates to users.
You can further subdivide Infrastructure CA if you want to assign more granular roles, such as Computer CA and Application CA. It is important to note that in the CA setup wizard, you will not get the options of Intermediate CA and Issuing CA, neither you will get the options for User CA or Computer CA. This is because all these CA types fall under the broader category called Subordinate CA. So while running the CA setup wizard (or commands), you will get only two options, to specify the current CA Server as Root CA or Subordinate CA. Then how shall we design the hierarchy between Subordinate CA , such as Intermediate CA, User CA, Computer CA and so on ? During the CA server setup, when you declare a CA as Subordinate CA, it will ask you the parent CA Server name, which will issue certificate to this CA Server.