Public Key Infrastructure is a set of resources (technical, material and human), distributed services and components, which are used together to maintain cryptographic tasks basing on private and public keys. The main task of PKI is to distribute keys and to manage their life cycle.
Why is it required to manage keys? Encryption has been used for thousands years and initially symmetric key was used for this purpose. It means that the same key was used both to encrypt and to decrypt information. Immediately a problem of key delivery to the user appeared. In fact while being delivered the key can be intercepted and then encrypted information can be easily read.
The problem of keys exchange is solved with asymmetric cryptographic algorithms. Each user has two keys – public and private, which are linked with each other with mathematical dependence. The dependence does not have an inverse function, i.e. if you have user’s public key you cannot restore private key. Information is encrypted with user’s public key and is decrypted with private key. Public key can be distributed without any limit while private key is always stored directly by the user. Public keys technology is developed on the basis of this principle.
PKI is based on several main principals:
- Private key is known only by its owner.
- Certification Authority creates the public key certificate validating the key in this way.
- Nobody trusts to each other but everybody trusts to Certification Authority.
- Certification Authority validates or invalidates belonging of public key to specified user, which owns corresponding private key.
In fact, PKI is a system, the main components of which are Certification Authority and users interacting with each other by the means of Certification Authority.
Does the organization need its own Public Key Infrastructure? Following solutions can be an alternative to it:
- Purchasing certificates from commercial Certification Authority.
- Using self-signed certificates.
With rising number of certificates being used these solutions become unsuitable, in the first case – because of high cost, in the second case – because of absence of single trust center. Common disadvantage is unavailability of centralized management. That is why while growing every organization comes to necessity of its own Public Key Infrastructure development.
The basis of PKI in Windows Server is Active Directory Certificate Services. Certification Authority based on ADCS issues certificates meeting the requirements of industrial standard X.509 v 3 (RFC 5280).
The main advantage of ADCS-based PKI is its integration with Active Directory, which allows efficient managing PKI components and automating various operations.
PKI implementation allows solving a lot of tasks of company information security enhancement, such as following tasks:
- Two-factor authentication
- Remote access protection
- E-mail massages protection
- Web-servers traffic protection
- Software signing
- Servers and clients authentication
Our knowledge and skills allow implementing Public Key Infrastructure of any level of complexity meeting customer’s requirements most closely. All works can be carried out within a short time and with minimal costs. Also we provide a set of required documentation.
Active Directory Certificate Services (AD CS) is a server role, a part of Windows Server operating system. It is the basis of Public Key Infrastructure. ADCS includes following components:
Certification authority is the Certification Authority itself (CA). It issues certificates, publishes information about status of issued certificates, allows certificate deactivation before the end of its validity period.
Web enrollment allows users to connect to Certification Authority using web-browser to request certificate or download Certificate Revocation List (CRL).
Online Responder is a component providing OCSP (Online Certificate Status Protocol) support. Online Responder allows real-time checking status of specified certificate. It receives client’s request for certificate check, checks its status and sends signed respond containing information about the certificate.
Network Device Enrollment Serviceis a component allowing network devices to request certificates via SCEP (Simple Certificate Enrollment Protocol). Also SCEP is used in many MDM (Mobile Device Management) solutions to install certificates to mobile devices – phones and tablets.
Certificate Enrollment Web Service is a component providing users and computers with capability to request certificates using HTTPS. Furthermore, this service together with Certificate Enrollment Policy Web Service allows requesting certificates on the basis of policies in case client computer is not a domain member.
Certificate Enrollment Policy Web Service is a service that allows users and computers to get information about certificate request policy. This service together with the one mentioned above allows requesting certificates according to policies if client computer is not a domain member. Using LDAP this service receives certification policy from AD domain services and cashes policy data for processing client requests. Using HTTPS it transfers certification policy data to network computers.
Proper combination and adjustment of components mentioned above allows developing efficient Public Key Infrastructure, meeting all customer’s requirements.
Here you can find additional information about described technology and its implementation peculiarities.