Setting UP PKI and Certificate servers on a Windows Server 2008 R2 domain

Posted on 2010-09-03
Last Modified: 2013-12-04
My company has asked our team to implement a PKI solution so we can encrypt and digitally sign emails, files, authenticate users for web-based applications that are on DMZ servers (bounce authentication againts internal AD servers from the DMZ).

Ourt current environment is: Active Directory with DOmain controllers as Windows Server 2008 R2.
Multiple member servers in 2008 and some in 2003. Applications in our internal domain and some are located at the DMZ.

What is required to start this implementation? PKI server, Certificate signing (Microsoft-local vs Third-Party).

Question by:itsecalert
  • 2
  • 2
LVL 40

Expert Comment

by:Adam Brown
ID: 33602095
In windows 2k8, you'll want a Certificate Services server to handle most of the work. Certificate signing and encryption for email will only work internally for the most part. If you want an encryption system for email going outside your network, you'll want to look at third party solutions like PGP. Realistically, you'll need to determine how far reaching you want your encryption and authentication to be. AD CS is great internally, but it gets really troublesome when you go outside the LAN/WAN, because certificate distribution is limited to the domain. Same thing for web site authentication. It's a piece of cake and almost just works right out of the box if you're entirely internal. The second you break across that public/private line it gets troublesome. RSA makes a good key management system for distributing keys outside a private network, and I think there are a few other companies that do as well.

Just to sum up my recommendation on how to move forward, take a look at what you want to do. If you need to manage certificates outside your network, you should look into third party solutions. If it's going to be mostly internal, or if any part of the requirement is internal only, you'll want to allow AD CS to handle that portion because of the auto-enrollment features built in to Windows.

Author Comment

ID: 33603405
I see, so I will probably need to obtain a CA for Each of my domain controllers from a third-party to begin issuing certificates at least for inside applications and services.

If we want to do email encryption or digital signatures then the RSA route is your recommendation or that of PGP, correct?

One of the key factors that triggered this reearch was the adding a few services to be reached from the DMZ and be able to authenticate domain users from home or where ever they they can be. We already have servicea with their own certificates (webmail, citrix access, etc) which are at the DMZ but get the users authentication bounced off AD.

Thanks for your input.

LVL 40

Accepted Solution

Adam Brown earned 250 total points
ID: 33609968
You won't need to get a third party certificate for your DCs if you are only doing internal certificate generation. You will, however, need to set up the AD Certificate Services Role on a server in your network and configure it as an Enterprise Root CA. Once that's done, the certificate for that server will be distributed to all computers on the domain via GPO and they will then trust any certificate generated by that Root CA. Third party certificates are meant to be used for generating SSL certificates and a number of other types of certificates when a CA hierarchy doesn't exist already. Once you have a Root CA in your network, you can configure it to autoenroll devices and computers with certificates. Here's a step-by-step article from Mickeysoft for managing AD CS:

The limitation of AD CS is that only computers that are members of the domain will automatically trust the certificates generated by the Root CA. Computers that are not part of the domain won't trust the CA until you import the Root CA's Root Certificate and set the computer to trust it.

The main limitation of any PKI system is in key distribution. There's some fascinating historical stories about key distribution issues (for instance, the German Enigma system during WWII). It is entirely possible to handle email signing and encryption outside of your network with Active Directory. The problem is that your users will have to send a key to people that the email in order for the email to be decrypted. The problem is that this very quickly becomes a logistical nightmare (not to mention the potential security issues of having your Root CA key plastered all over the internet). This is where the third party apps come in to play.

PGP's email system system provides email encryption by capturing email traffic that goes outside the network and storing it, encrypted, in a secure reception area that is accessible to the outside world. After the email is sent and stored by PGP a notification email is sent to the recipient, giving them instructions on how to log in to the secure repository and read the email. Recipients set up an account on the PGP mail repository server and read any encrypted mail without the mail actually leaving your network.

RSA's key distribution system does something different. I haven't actually used their solution before, so I don't know exact details. From their marketing materials, it looks like it provides secure key distribution through a web enrollment system similar to AD CS, but usable outside a domain. You'll probably need to contact RSA to get more specific information. Here's the website for more info:

Author Closing Comment

ID: 33617092
Thanks for your detailed comment on this. I was looking at any other experts comments but I guess, even after the question was moved to another group, nobody else has an input for this.

Thanks much, I will focus my research on this and seek a direct target solution.

Definitely will do an in-house CA server for all our internal needs, per all my current readings online. R$A is out of the question, budget-wise.

Thanks a bunch.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question