Autoenrollment: advantages and limitations of a Microsoft CA in the Windows-PKI

A Public Key Infrastructure (PKI) provides the basic mechanisms that enable the use of cryptography-based tools in large organizations. In a Microsoft environment, it is possible to set up a Windows PKI with fully automated certificate management. The issuing of certificates is triggered within the framework of a Certification Authority (CA), for example, at user login. The certificates can be published automatically in the Active Directory (AD), via certificate templates key usages and other extensions can be defined. The functions are limited to issuance by an internal Microsoft CA.

Limitations in a pure Windows-PKI

The use cases of the services already provided with this are therefore naturally limited to the purely internal area (such as Wi-Fi encryption, VPN services, …): The use of trusted signatures for e-mails and documents, like encryption, is already the de facto standard in various industries, and in many cases even required by law. The use of services for external communications reaches its limits here, in that participants outside the Windows PKI do not automatically trust the issuer certificate. Encryption is thus not readily possible, and recipients of signed messages receive error messages.

Windows-PKI with publicly trusted certification authority

This results in unnecessary support effort that could easily be avoided. As soon as signed or encrypted information is to be exchanged with external partners, certificates from a publicly trusted CA – such as GLOBALTRUST – are required. The root certificate of this CA is already pre-installed in the recipient’s application. The basis for this are special audit and approval procedures, which public CAs undergo with enormous expenditure of resources and time.

Limitations of a publicly trusted certification authority Windows-PKI

However, requesting certificates from public CAs also requires certificate management and thus an organizational effort that should not be underestimated – both in terms of personnel and finances. Errors in the management of keys and certificates can pose massive risks and cause serious damage. For example, an expired certificate could paralyse the ATMs of an entire banking chain. Apply, install, replace, revoke: not a challenge when used in the double-digit range, but quickly becomes an overload when used by thousands of employees and devices and results in expired certificates, incorrectly deposited keys or still valid certificates from employees who have long since left the company. Monitoring tools on the market are often not up to the task.

Fully automated certificate management: Windows-PKI with a non Microsoft-CA

This is exactly where the product from Secardeo and GLOBALTRUST comes in. The solution is aimed at medium and large organizations. Holders of a GLOBALTRUST COMPANY certificate can be connected to our certificate issuance via an interface with the help of Secardeo certEP. The certEP fully automatically takes over the certificate management during the entire life cycle. The private keys are generated at the user and never disclosed to GLOBALTRUST. The certEP only makes a certificate request. Thus, it requests certificates for persons, services and devices, transports key material to the target and ensures timely renewal. All functions of a pure Windows PKI are available without restrictions (certificate templates, enrollment agents, role separation, key recovery, …).

Certificate characteristics

The certificates are considered S/MIME certificates. They can be used for e-mail signature, encryption, client authentication, VPN, encryption and digital signature of file systems and documents.

The certificates are suitable for producing advanced signatures under the conditions of the eIDAS Regulation.

The solution can be described as technically mature. It enables seamless use of all PKI-relevant security mechanisms, combined with the trust status of a public CA. Compared to building your own solution, the product is a proven, highly secure and cost-effective alternative.