Migrate From Microsoft AD CS

Linda Ikechukwu

Follow Smallstep

"Active Directory Certificate Services has a lot of attack potential! .... Nearly every environment with AD CS that we’ve examined for domain escalation misconfigurations has been vulnerable. It’s hard for us to overstate what a big deal these issues are. "

~ Will Schroeder and Lee Christensen, Researchers @SpecterOps in their research titled, Certified Pre-Owned: Abusing Active Directory Certificate Services, detailing possible attacks against AD CS.

Imagine relying on a piece of technology that hasn't been updated in years. It's like navigating a complex maze with an outdated map or using antique locks to secure a modern smart home — a recipe for inefficiency, and heightened risk.

Such is the predicament of organisations still holding onto their legacy Public Key Infrastructure (PKI) — whether it be systems like Microsoft’s Active Directory Certificate Services (ADCS) or a self-coupled solution from years back.

Certificates are undoubtedly the most effective way to protect your organization's infrastructure. They provide a reliable means to control access, ensuring that only trusted entities—whether they be devices, workloads, or individuals—can gain entry. Additionally, certificates facilitate secure communication between these entities, enhancing overall data protection.

Nevertheless, comprehending and correctly implementing certificates can be a challenging endeavor. Legacy PKI solutions exacerbate this complexity by necessitating additional components such as servers, Hardware Security Modules (HSMs), load balancers, and continuous maintenance. Moreover, many large-scale legacy PKI deployments suffer from issues like CA and template sprawl, further complicating an already intricate landscape.

You need a robust workhorse with opinionated constructs complete with all the software you need to reap the security benefits of PKI without being PKI experts. If you were already thinking about migrating your Legacy PKI, but unsure of where or how to start, then you are in the right place. And if you’re not yet considering migrating your legacy PKI, maybe the reasons below will convince you.

Why you should be thinking of migrating from your Legacy Microsoft ADCS PKI

Make certificate related outages and downtime a thing of the past

Microsoft AD CS does not have built-in support for modern infrastructure automation tools. It doesn’t support ACME. Neither does it support Ansible or Terraform for client bootstrapping and enrolment.

This lack of automation capabilities and manual coupling affiliated with legacy PKI means more opportunities for certificate misconfigurations or unnoticed certificate expirations. Expired certificates or certificate errors lead to outages which can severely disrupt customer-facing services and wreak havoc on the business operations. Even highly technical teams like Starlink and Microsoft Sharepoint have recently experienced certificate expiration or misconfiguration related outages.

Migrating your PKI to a modern consolidated and robust platform like Smallstep means automated end-to-end encryption management for you. Certificates within your infrastructure will be issued, renewed, and revoked automatically, reducing human error and freeing up IT resources.

Safeguard your infrastructure against vulnerabilities and elevate your security posture

"It is surprisingly easy to misconfigure various AD CS elements .... if an environment has AD CS installed, along with a vulnerable web enrollment endpoint and at least one certificate template published that allows for domain computer enrollment and client authentication (like the default Machine/Computer template), then an attacker can compromise ANY computer with the spooler service running!" ~ Certified Pre-Owned: Abusing Active Directory Certificate Services

Legacy PKIs like Microsoft’s AD CS make organizations susceptible to a host of security challenges. There’s always a steady stream of updates, patches, and hot fixes to keep up with. Any oversight on those can leave your infrastructure exposed to a couple of vulnerabilities.

Another major challenge is that setting up AD CS to function as a fully robust PKI demands substantial technical know-how, yet the documentation relies on outdated recommendations from over a decade ago. Consequently, ADCS configurations are frequently susceptible to misconfigurations and permission errors, mainly due to the scarcity of IT teams with specialized PKI knowledge. In some instances, teams have discovered TLS certificates and private keys left unprotected on servers or encountered numerous certificate templates within their PKI without a clear understanding of their purpose.

Migrating to Smallstep eliminates the necessity for PKI expertise within your team. PKI is our sole focus, and we remain at the forefront of cryptographic and PKI advancements. By default, we enforce best practices, ensuring that your security is never compromised.

Security is paramount in our service delivery, and we embrace the principle of defense-in-depth. We secure your CA signing keys within a hardware security module (HSM), rendering unauthorized access, even by us, impossible. Every interaction with the HSM is meticulously logged, facilitating the prompt detection of any suspicious activities. This utilization of HSMs not only enhances security and compliance but also guarantees the absolute inviolability of your keys, protecting them from simple theft via DPAPI or tools like Mimikatz.

Furthermore, the Smallstep agent, which can be installed on any Linux device, to manage TLS encryption for a wide range of workloads, including NGINX, Apache HTTPD, Redis, PostgreSQL, MySQL, Apache Tomcat, and more, has TPM support. This means that we use TPM device attestation to authenticate your devices, giving strong assurances that only the specific device identifiers you have registered with us are allowed to get TLS certificates.

In a nutshell, we employ various tiers of security measures to protect against common attack vectors. No passwords are needed, and no device certificates or keys are stored on disk.

Introduce flexibility and versatility into your PKI

According to the 2021 Global PKI and IoT Trends Study, 56% of organizations say that their existing PKI is incapable of supporting new applications. Today, everything from cloud VMs, DevOps processes, IoT devices, service meshes, containers, microservices, distributed databases & queues, to configuration management & orchestration systems, all require TLS encryption.

Unfortunately, Microsoft’s Active Directory Certificate Services, designed for on-premise Windows environments, doesn’t integrate with modern platforms, nor does it play well with emerging technologies. As a result, you experience limitations in how and what you can issue certificates to.

Migrating your PKI to a modern platform like Smallstep means introducing flexibility into your PKI. Smallstep supports, integrates with, and is interoperable with a a variety of certificate issuance protocols, policies, and authentication mechanisms for automating provisioning certificates for different environments and entities within your infrastructure. This includes everything from devices (from virtual machines on AWS, Azure, GCP to physical devices like laptops and phone), to workloads (from MySQL, PostgreSQL, NGNIX, Redis, and GitHub Actions, to mention a few) to People.

Whatever the context or usecase, with Smallstep, every connection can be authenticated, encrypted, and authorized using unique trusted identities.

Simplify the burden of certificate management

Microsoft's Active Directory Certificate Services functions simply as a certificate authority, but a complete PKI requires more than just that. It's akin to having an engine, a steering wheel, and four tires — essential components for a car, but not sufficient on their own.

To bridge this tooling gap, many teams resort to custom scripts, spreadsheets, and fragmented in-house solutions to supplement and achieve basic PKI functionalities. Unfortunately, these makeshift solutions only compound administrative complexities and efficiency issues.

When you migrate your PKI to the Smallstep platform, you not only get a certificate authority but also every other essential component required for efficient certificate lifecycle management, configured with current best practices for design, deployment, and security in mind. Your IT teams will be liberated from the burden of managing and maintaining the infrastructure, allowing them to focus on strategic projects. Instead of grappling with CA server setups, request configurations, function validations, database upgrades, or connection monitoring and repairs, your teams can dedicate their time to enabling TLS for all communications within your organization.

Taking it a step further, with our newly released managed workloads and devices capabilities, you can establish authenticated and encrypted TLS communications across all elements of your infrastructure, without needing to concern yourself with intricate certificate management tasks like setting up a certificate authority or specifying specific configurations. A simple indication of the desired entity or TLS usage suffices, and we take care of the rest. See a demo here.

Consolidate all your PKI under one umbrella

AD CS confines organizations to a single CA per deployment, creating a scenario where departments independently set up CAs for their specific needs without overarching supervision. Consequently, security teams are left grappling with expired or non-compliant certificates to avert disruptive outages. This reactive approach becomes a recurring issue.

On the contrary, Smallstep bestows the capacity to host numerous CA and PKI infrastructures within a single installation. This consolidated approach enables you to manage all aspects of your organization's PKI from a central hub, offering cohesive oversight and control.

Making the switch: Migrating to modern PKI with Smallstep

Migrating your PKI to Smallstep is very straightforward. We provide you with a dedicated support engineer who ensures a seamless migration, preventing any major disruptions. Our support engineers begin by gaining an understanding of your environments, needs, and requirements. This understanding guides them in suggesting the most suitable deployment methods— be it SaaS or on-premise — for your unique situation.

Moreover, we support the SCEP certificate enrollment protocol, ensuring that you don't need to make immediate changes to your clients when transitioning from your legacy PKI. You have the flexibility to gradually introduce automation, convenience, and modern features into your PKI ecosystem by deploying Smallstep as an issuer for new clients while retaining your root, thanks to our Bring Your Own Root feature.

In essence, our unwavering mission is to simplify the use of certificates for secure and encrypted communications across every aspect of your infrastructure. Let us help you migrate your Legacy PKI. Request a demo today!