Introduction to ADCS
ADCS is made of these main components
- CA: Certification Authority, an entity that issues and manages certificates. There can be multiple CAs, organized in a hierarchy to add more layers of "movement" between the end user and the main CA
- Certificate Templates: these templates define settings for a certificate and dictate who can enroll in one, with which permissions and all the other critical information used to successfully push out a valid certificate
- CES: Certificate Enrollment Server, its main role is allowing end users to renew certificates via HTTPS requests by setting up web endpoints for certificate enrollment
- Certificate Enrollment Policy Web Server: allows users to view information about the enrollment policy of a specific certificate
- CA Web Enrollment: empowers hosts that are not domain-joined or running other OSs to renew certificates
- NDES: Network Device Enrollment Service, allows offline network devices to obtain certificates
ADCS uses X.509 certificates with the following formats
- PEM: this is the equivalent of a base64-encoded DER certificate, it can store multiple keys with no password protection
- DER: raw PEM certificate
- PFX / P12 (PKCS#12): can store a number of private keys with password protection
- P7B (PKCS#7): used to store multiple chain certificates but not private keys
Each certificate (and certificate template) has some main attributes"
- Subject: the entity to which the certificate is issued
- Issuer: usually the CA
- SAN: Subject Alternative Name
- Validity Period
- EKU: Extended Key Use, defines where the certificate can be used
- OID: Object Identifier, indicates the purpose / usage scenarios of a certificate
OID | Certificate use |
---|---|
1.3.6.1.5.5.7.3.1 |
Server Authentication |
1.3.6.1.5.5.7.3.2 |
Client Authentication |
1.3.6.1.5.5.7.3.3 |
Code Signing |
1.3.6.1.5.5.7.3.4 |
Secure Email |
Once a client initiates a CSR (Certificate Signing Request), the CA determines if the client has the right permissions to enroll in the requested certificate, if the permissions match a certificate is generated and signed using the CA's private key before being returned to the user.