Digital cloud graphic

How to Use PKIaaS to Simplify Certificate Automation in Microsoft Active Directory

Zero Trust initiatives, combined with a growth in the number of devices managed by enterprises, have resulted in tens of thousands of digital certificates being used for passwordless authentication and data encryption. Digital certificates have a limited lifetime, eventually expire and need to be renewed. The key question remains, how do we automate certificate lifecycle management so that it’s scalable and simple to manage without manual resources?

What Is Microsoft Autoenrollment?

For many organizations, Microsoft Active Directory remains a central piece of the puzzle that allows device management, authentication and authorization. It is one of the most important products in enterprise deployment for identity and access management. According to Slintel, Microsoft Active Directory still dominates the market with 44 percent market share.

Microsoft provides the open specification Windows Client Certificate Enrollment Protocol (MS-WCCE), which consists of a set of Distributed Component Object Model (DCOM) interfaces that enable clients to request various services from a certification authority (CA). These services enable X.509 digital certificate enrollment, issuance, revocation and property retrieval.

Microsoft Active Directory has built-in capability for certificate autoenrollment which takes away the burden of manually managing certificates. With autoenrollment, enterprise can automate certificate enrollment, issuance, revocation, and suspension. It is the simplest way for organizations to issue certificates for users, applications or devices.

How Is Certificate Autoenrollment Used With PKIaaS?

HID Global has simplified how to integrate Microsoft Active Directory managed network devices with its cloud-based PKI-as-a-Service (PKIaaS) to automate their certificate lifecycle. HID PKIaaS’s Autoenrollment Proxy (AEP) acts as a proxy and connects with Microsoft Active Directory for any certificate request that makes outbound connection to HID’s PKIaaS platform for certificate issuance or updates. AEP can be installed on any Microsoft Windows Server that is domain joined while the certificate template needs to be mapped in Active Directory. AEP connects with HID PKIaaS using HTTPS for certificate issuance so only outbound connection to 443 needs to be allowed.

Get Started With the Connector Model of PKIaaS

HID PKIaaS leverages the connector model to automatically request and install certificates independent of one another. There is no agent or other configuration change required at the individual device level, enabling customers to leverage existing technology deployments and infrastructure. You can learn the basics on how the connector model works, and dive into the details of rolling out simple, automated certificate management in our white paper, Certificate Automation Rollout for Enterprises.

Is your hybrid infrastructure making it difficult to implement PKI and certificate automation in house? HID PKIaaS can help. To learn more about our scalable, cloud-based PKIaaS solution and how it helps enterprises support Zero Trust security policies,  talk to one of our experts.

Image
eBook download graphic

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).