Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Simplify Certificate Enrollment with AD CS

Many organizations recognize the inherent cybersecurity weakness of credential-based authentication and have made the switch to certificates as a result. The decision to move away from reliance on credentials is an excellent first step.

Of course, this decision shouldn’t be taken lightly as transitioning to a certificate-based authentication scheme is an involved process. Most often, organization’s will opt to use 3rd party vendor software to simplify the process.

Active Directory Certificate Services (AD CS) is a popular certificate option for Microsoft-reliant organizations. But using AD CS on its own requires a high level of specialized knowledge and a team of IT professionals to manage for a larger organization. The certificate enrollment process alone can leave some feeling that there must be a more straightforward approach to certificates.

Certificate Management with AD CS

Implementing AD CS is a great starting point for many when first using certificates, but most will quickly find that it lacks many key features to support certificate management. While they give you the tools to use certificates for authentication, they provide little else to simplify certificate enrollment and management over time.

Lack of Onboarding Software

Within most organizations, there are two main groups of devices used: managed devices (MDMs) and BYOD. AD CS provides an avenue to enroll MDMs for certificates via SCEP gateways. They can configure a certificate payload that is delivered to MDMs and configures them for certificate-based authentication.

On the other hand, BYOD users are left without an enrollment solution. End users are left to manually configure their devices for certificates. The process to manually configure is complex; it involves many steps that are above the technological knowledge of the average network user. Even with a configuration guide, many users will make mistakes that result in misconfigurations, security lapses, and IT support ticket requests.

Lack of Management Software

When an organization starts with AD CS, it comes with software to implement it into their infrastructure, but it does not come with dedicated certificate management software. Manually managing an entire organization’s certificates would require a dedicated PKI team to ensure everything is organized and nothing falls through the cracks.

It’s vital to know who is in possession of a certificate and what resources they have access to to maintain network integrity. Without a management software, organizations can be in the dark and are unable to enforce security strategies such as Zero Trust. AD CS provides the blueprint to build a PKI, but it is not a PKI itself and does not have the capability to manage a 3rd party PKI.

Device Diversity Problems

There are a huge number of device vendors and many different OS that service them. As many Microsoft environment users will likely know, Microsoft products often do not work well with outside devices.

selective focus photo of silver tower viewer telescope facing sunshine

Specifically Group Policy Object (GPO), a group of account settings that segments users and assigns different policies and settings based on their standing in the organization, does not integrate with Mac Devices. This can be extremely restrictive for iOS and MacOS BYOD users, as integrating AD CS with these devices definitely requires 3rd party software.

AD CS Enrollment with SecureW2

To streamline AD CS certificate enrollment requires the integration of 3rd party software. SecureW2’s JoinNow onboarding solution is perfect for simplifying certificate distribution to BYOD devices.

It integrates easily with AD CS and allows certificates to be obtained by users with any devices. The entire process for end users requires a few clicks and only a couple minutes time to provision with a certificate to be authenticated immediately. SecureW2 also supports API gateways like SCEP to deliver certificates to a wider variety of MDMs than AD CS alone.

In addition to certificate enrollment, SecureW2 provides robust management software with our turnkey cloud PKI. Our PKI integrates easily with any network infrastructure and AD CS. The management portal allows admins to oversee all certificates from distribution to revocation/expiration. They can remote troubleshoot any authentication issues that may arise, and assign detailed GPO policies to segment users and implement Zero Trust policies.

Make AD CS Work For You

Leaving credentials behind and focusing on modern cybersecurity measures like certificate-based authentication is a meaningful step towards a secure future. But with any new tech, if it isn’t properly backed up with robust management tools and support, it may not live up to the expectations you set.

Combining SecureW2 with AD CS provides ironclad certificate security with efficient management and enrollment tools. Check out SecureW2’s pricing page to see if our certificate solutions are right for your organization.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Simplify Certificate Enrollment with AD CS