To establish a public key infrastructure and offer your company’s public key cryptography, digital certificates, and digital signature capabilities, an ADCS server role is necessary. AD CS provides customizable services for issuing and managing digital certificates in software security systems that engage public key technologies.
The digital certificates that AD CS provides can be used to encrypt and digitally sign electronic documents and messages. These digital certificates can authenticate network computers, users, or device accounts. Digital certificates are used to provide the following:
Confidentiality through encryption
Integrity through digital signatures
Authentication by associating certificate keys with a computer, user, or device account on a computer network
The public key services container cannot be limited to any specific domain or domains. It is available to any client in the forest. Since the public key service container is stored in a configuration naming context, the content is simulated between all domain controllers in the current forest.
The followings are the sub-containers under public key services containers:
Below are the descriptions of each container:
In order to create a trusted certificate chain and retrieve any cross-certificates issued by the CA, clients can retrieve CA certificates from the AIA container by utilizing the authority information access (AIA) certificate extension. Another name for AIA is Authority Information Access (AIA). The AIA container will automatically install the new enterprise CA’s certificate during installation. To install the CA certificate programmatically to this container, run the below command:
Certutil -dspublish -f <PathToCertFile.cer> SubCA
<PathToCertFile.cer> – this is the actual path and certificate name file.
CDP stores certificate revocation lists. It contains all base CRLs, and Delta CRLs published in the forest.
You can install the certificate revocation list to the CDP container by running the certutil command.
The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest
The CRL’s renewal extension
Indicates whether the CA supports delta CRLs
Indicates that an object is a CDP object in AD DS
By defining the common features shared by all certificates issued using that template and determining the permissions for which users or computers can enroll in or automatically enroll for the certificate, certificate templates are used to automate certificate deployment. A certificate template that automatically enrolls all domain users with valid email addresses for a secure email (S/MIME) certificate would serve as an illustration.
All certificate templates available in AD, whether published on an enterprise CA or not, are stored in the Certificate Templates container. If an enterprise CA publishes a certificate template, the value is written as an attribute on the CA object in the Enrollment Services container. By default, over 30 Microsoft predefined certificate templates are installed when building an enterprise CA.
Certificate authorities container is for the trusted Root CA(s). During the enterprise Root CA creation, the certificate is automatically deployed in the container. In the case of an offline standalone CA, the PKI administrator must manually publish the offline root CA certificate using the certutil command.
Example: certutil -dspublish -f <Root.cer> Root CA
Enrollment services container
It includes the certificates for the enterprise CAs that can grant certificates to individuals, machines, or services located within the forest. Only an Enterprise Admins member who installs an enterprise CA can add enterprise CA certificates to this container. The Manage AD Containers dialogue box cannot be used to add the certificates manually
Contains the certificates for key recovery agents for the forest. Key recovery agents must be configured to support key archival and recovery. Key recovery agent certificates can be added to this container automatically by enrolling with an enterprise CA. The key recovery agent certificates cannot be added manually by using the Manage AD Containers dialog box.
This container stores object identifiers (OID) registered in the enterprise. OID container can hold object identifier definitions for custom Application Policies, Issuance (Certificate) Policies, and certificate templates. When the client is a member of the Active Directory Forest, it uses an OID container to resolve object identifiers and the local OID database.
New OIDs should be registered via Certificate Templates (certtmpl. msc) MMC snap-in by adding a new Application or Issuance (Certificate) Policy in the certificate template Extension tab.
Understanding each active directory certificate services container is vital for an enterprise PKI administrator. An Administrator must know the activities and necessity of each container while managing the enterprise PKI infrastructure.
Datasheet of Encryption Consulting Services
Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all
aspects of encryption for our clients.
Parnashree Saha is a data protection senior consultant at Encryption Consulting LLC working with PKI, AWS cryptographic services, GCP cryptographic services, and other data protection solutions such as Vormetric, Voltage etc.