Windows Auto-Enrolment: Enabling centralising certificate management

Posted by Mike Hathaway on Aug 2, 2023 11:24:17 AM

Microsoft essentially holds one of the world’s de facto standards when it comes to Enterprise Server and Workstation Deployments.

Microsoft’s Windows operating system is very mature and enables many third-party solutions to integrate from a productivity and security standpoint. Microsoft provides Active Directory Certificate Services (ADCS) to enable Microsoft-enabled clients to request certificates to securely access domain-based resources.

ADCS is designed to work within the confines of an Active Directory domain with Microsoft clients who support SCEP, PKCS#10 and Windows Native Certificate Enrolment – it does not support ACME, EST and CMP, and, as a result, cannot scale to meet all use cases.

Ascertia’s ADSS Web RA Server, together with ADSS PKI Server, can easily be integrated into a Microsoft domain to deliver a centrally managed certificate management policy in a consistent manner to Microsoft domain and non-domain users and computers.

Ascertia ADSS Web RA Server’s Windows Enrolment support means that administrators, users and device owners do not need to change their behaviour – they can simply leverage the Microsoft tools as they do today. All certificate requests are sent to ADSS PKI Server where the centrally managed policy is seamlessly applied and user and computer certificates are issued.

Simplified certificate management

ADSS Web RA Server has been specifically designed to simplify system administration and enable end-users to self-service, providing a secure and intuitive web-based portal where users can self-manage their individual certificates.

Web RA Issued Certificates

Grouping certificates for device administrators

Alternatively, if you are a device or IT administrator, then ADSS Web RA Server makes it easy for certificates to be grouped by role to enable you to easily access certificates for the devices you manage.

For example, you can group by certificate template or certificate contents. Device owners may want to group all certificates with OU=Laptops to be assigned to laptop administrators and then assign all certificates with OU=Switches to a network administrator.

WebRA

 

Automatic certificate issuance

Microsoft Auto-Enrolment is a key part of the Microsoft certificate provisioning use case. Certificate enrolment is managed via Microsoft Group Policy, which is applied to users, groups, workstations and servers via Active Directory.

When a client refreshes group policy, it is given the network location of the Web RA Server Certificate Enrolment Policy Server. This sends a request to the active directory to query the certificate templates and enrolment servers the client is entitled to access.

It is then returned to the client who uses this information to connect to the Certificate Enrolment Web Service, which retrieves the user’s details from Active Directory before submitting a certificate request to an ADSS Server-based Certificate Authority (CA). ADSS Server then returns a signed certificate to the client where it is installed.

Windows-Auto-Enrolment-Diagram

Auto provision web-based self-service

ADSS Web RA will automatically create an account for users to access any certificates that they have been enrolled for. Users simply need to log into their device and, when certificate auto-enrolment provisions them with a digital certificate, they will also receive an invitation email inviting them to join the Web RA digital identity management portal.

Centralised deployment

ADSS Web RA Server is designed to be installed and integrated with an organisation’s Microsoft Domain. Each instance of Web RA Server can connect to multiple installations of ADSS Server, easily enabling organisations to connect Web RA Server to a centrally hosted PKI based on Ascertia ADSS PKI Server.

This can be hosted within the Enterprise or, optionally, by a member of the Ascertia global ecosystem.

For more information on locating a local provider, please visit our website or contact a member of our team.

Digital trust foundation

ADSS Server and ADSS Web RA Server are core products of the Ascertia Digital Trust family.

Together they offer enterprises, Trust Service Providers (TSPs) and governments a rich set of digital trust services that enable the issuance and management of digital identities for people, devices and applications. The package can easily enable additional use cases that are the very foundation of digital business, such as digital signatures, signature verification, certificate verification, time-stamping and remote signatures.

ADSS Server and ADSS Web RA Server integrate seamlessly with Ascertia's SigningHub, a digital workflow and signature platform that enables digital transformation. SigningHub is used the world over by enterprises, TSPs and governments to provide digital signatures to internal and external users and can be integrated into leading business applications.

For more information on digital trust and Ascertia’s technology, read our other blogs.