Digital cloud graphic

How to Use PKIaaS to Simplify Certificate Automation in Microsoft Active Directory

Zero Trust initiatives, combined with a growth in the number of devices managed by enterprises, have resulted in tens of thousands of digital certificates being used for passwordless authentication and data encryption. Digital certificates have a limited lifetime, eventually expire and need to be renewed. The key question remains, how do we automate certificate lifecycle management so that it’s scalable and simple to manage without manual resources?

What Is Microsoft Autoenrollment?

For many organizations, Microsoft Active Directory remains a central piece of the puzzle that allows device management, authentication and authorization. It is one of the most important products in enterprise deployment for identity and access management. According to Slintel, Microsoft Active Directory still dominates the market with 44 percent market share.

Microsoft provides the open specification Windows Client Certificate Enrollment Protocol (MS-WCCE), which consists of a set of Distributed Component Object Model (DCOM) interfaces that enable clients to request various services from a certification authority (CA). These services enable X.509 digital certificate enrollment, issuance, revocation and property retrieval.

Microsoft Active Directory has built-in capability for certificate autoenrollment which takes away the burden of manually managing certificates. With autoenrollment, enterprise can automate certificate enrollment, issuance, revocation, and suspension. It is the simplest way for organizations to issue certificates for users, applications or devices.

How Is Certificate Autoenrollment Used With PKIaaS?

HID Global has simplified how to integrate Microsoft Active Directory managed network devices with its cloud-based PKI-as-a-Service (PKIaaS) to automate their certificate lifecycle. HID PKIaaS’s Autoenrollment Proxy (AEP) acts as a proxy and connects with Microsoft Active Directory for any certificate request that makes outbound connection to HID’s PKIaaS platform for certificate issuance or updates. AEP can be installed on any Microsoft Windows Server that is domain joined while the certificate template needs to be mapped in Active Directory. AEP connects with HID PKIaaS using HTTPS for certificate issuance so only outbound connection to 443 needs to be allowed.

Get Started With the Connector Model of PKIaaS

HID PKIaaS leverages the connector model to automatically request and install certificates independent of one another. There is no agent or other configuration change required at the individual device level, enabling customers to leverage existing technology deployments and infrastructure. You can learn the basics on how the connector model works, and dive into the details of rolling out simple, automated certificate management in our white paper, Certificate Automation Rollout for Enterprises.

Is your hybrid infrastructure making it difficult to implement PKI and certificate automation in house? HID PKIaaS can help. To learn more about our scalable, cloud-based PKIaaS solution and how it helps enterprises support Zero Trust security policies,  talk to one of our experts.

Image
eBook download graphic

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).

RECENT POSTS

HID Origo™ 개발자 포털 소개

HID Origo™ 개발자 포털의 가용성에 대한 소식을 전해 드릴 수 있게 되어 기쁘게 생각합니다. 이 포털에서는 기술 파트너들에게 직원들의 물리적 및 디지털 경험과 기술이 혼재하는 앱과 API 통합을 구축하는 데 필요한 도구와 지원을 제공합니다.

10월은 국가 사이버 보안의 달입니다

매년 10월은 정부와 사이버 보안 업계가 협력을 도모하기 위해 지정한 국가 사이버 보안 인식의 달(NCSAM)입니다. 이 교육 기간 동안 유익한 정보를 통해 기업과 개인이 온라인에서 스스로를 보호할 수 있는 방법에 대한 인식을 고취시킬 수 있습니다.