Migrating from Microsoft Certification Authority to Google Cloud Certificate Authority Service with AppViewX Certificate Lifecycle Management-as-a-Service (CLMaaS) & Windows Auto-enrollment

Introduction

Certificate auto-enrollment was introduced in Windows 2000 to alleviate the problem of manual enrollment and renewal. It has been enhanced greatly since its introduction. It relies on a combination of Group Policy Settings and Certificate templates, allowing a Windows client to silently obtain or update certificates for both the user as well as the machine when the user logs on to the domain or the machine connects to the domain to refresh the Group Policy.

There are many benefits of auto-enrollment of user certificates

  • Allows users to transparently use the certificates in applications such as smartcard logon, S/MIME, EFS (Encrypted File System), SSL/TLS mutual auth, and others.
  • Drastically reduces the cost of PKI deployments and the total cost of ownership of a PKI implementation for Windows clients connected to a domain.

All Microsoft Windows machines come with a certificate auto-enrollment client built-in, which significantly eases the task of deploying both machine and user certificates on domain-joined windows machines.

The Problem

While auto-enrollment has many advantages, there are a few disadvantages of using a Microsoft Certification Authority (CA) with auto-enrollment or using other CAs that don’t support auto-enrollment. Standing up a secure Microsoft CA with a CP/CPS to meet the demands of an enterprise can become very complex, time-consuming and expensive, not just for the initial deployment but also for regular maintenance tasks to keep the CA keys safe and secure while still allowing the issuance, renewal and revocation of end-entity certificates. In addition to hardware costs to protect the CA keys, you have to maintain internal PKI expertise as well as validation services to accurately report the status of every issued certificate that has not yet expired.

The Solution

AppViewX CLMaaS has added support for Google Cloud’s Certificate Authority Service (CAS). Customers who have their CAs hosted in Google Cloud CAS can leverage AppViewX CLMaaS, which natively includes support for the in-built Windows auto-enrollment client in Windows servers and workstations, allowing customers to quickly and seamlessly deploy certificates from their Google Cloud hosted CA to replace the certificates issued from their internal MS CA, without any additional footprint on the target windows machine. All that needs done after setting up the CLMaaS subscription is to simply re-configure the Certificate Enrollment Policy to request certificates from the new CA instead of the old CA.

High-level overview of migrating from an internal Microsoft CA to Google Cloud CAS with AppViewX CLMaaS

  1. Sign up for a CLMaaS subscription with AppViewX
  2. Select Google CAS as the Certificate Authority in the list of Certificate Authorities
  3. Add the Project ID and credentials to access Google Cloud CAS
  4. Create certificate templates (in AD) for each type of certificate required, such as servers, workstations, users or devices.
    • In case there are existing templates being used with the Microsoft CA server, those can be duplicated for configuration in the next step.
  5. Configure the Certificate Policy in PKIaaS to define the certificate profile for each Certificate template.
    • This allows the enforcement of policy for certificate attributes such validity, signature algorithm, key usage and extended key usage.
  6. Deploy the AppViewX Cloud Connector and Auto-enrollment Proxy in your local environment
    • The Cloud Connector is the conduit for all messages, including certificate requests, from your private corporate network to the cloud hosted PKIaaS.
    • The Auto-enrollment proxy receives the requests from clients, extracts the requester entity’s values from Active Directory, and forwards the request to AppViewX where it is signed by the CA of choice.
  7. Update the Group Policy
    • Modify the Certificate Enrollment Policy in the GPO to use the new CA templates to replace the templates corresponding to the internal Microsoft CA.

As soon as the GPO is applied, the auto-enrollment client on the windows machine will enroll for new certificates from the new CA. Depending on the size of the organization and location of the users and devices, most of the end-entities configured to get a new certificate will automatically get their certificates the next time they logon to the domain (or when the group policy gets updated if they’re already logged on).

Note:

Customers should consider using the PKIaaS add-on from AppViewX that provides additional benefits out-of-the-box such as Custodian Management, enforcing M of N control for CA key operations and an OCSP responder.

Custodians are responsible for performing high-security tasks in key management such as creating and revoking CA keys and certificates as well as rotating or deleting keys. PKIaaS supports the M of N concept for all CA key operations so that a rogue administrator does not compromise the security of the CAs.

The OCSP responder available in PKIaaS allows relying parties and applications to obtain real-time revocation status of a certificate instead of relying on CRLs which may not be updated for hours or sometimes upto a few days.

What is AppViewX PKIaaS?

AppViewX PKIaaS

AppViewX PKIaaS is a turn-key solution for all enterprise PKI needs – Key management, Certificate issuance and certificate lifecycle management (CLM). It is delivered via AppViewX CERT+ that combines PKI as well as CLM functionalities. The solution can be consumed as a service (SaaS) or can be deployed in enterprise network in public clouds, private clouds or private data centers. All the certificate authority (CA) creation, CA management, certificate issuance and certificate management functions are available in a single cloud console. It not just simplifies the CA infrastructure part but also facilitates complete certificate lifecycle management (CLM) functionality and end-to-end automation.

With PKIaaS, enterprises can easily setup a robust and secure certificate authority (CA) hierarchy as well as other crypto policies without investing in costly PKI hardware or scarce security professionals – enterprises do not even need to purchase CA software.

Sometimes even auto-enrolled certificates may fail to renew and can be hard to detect and isolate. The AppViewX platform gives you visibility and alerts into all such occurrences through the AppViewX CERT+ platform so that such occurrences, rare as they may be, do not disrupt the business.

Tags

  • Certificate Enrollment
  • certificate lifecycle management
  • Certificate Lifecycle Management-as-a-Service
  • Google Cloud Certificate Authority Service
  • Microsoft Certification Authority
  • pkiaas
  • Windows Auto-enrollment

About the Author

Related Articles

AppViewX 2025 Predictions: Machine Identity Security, Certificate Lifecycle Management and PKI

| 3 Min Read

Machine Identity Was the Focus at Gartner’s IAM Summit

| 3 Min Read

Agent vs Agentless: Which Deployment to Choose for Certificate Lifecycle Management

| 6 Min Read