Investing in a Public Key Infrastructure (PKI) for your 802.1x network is the single best decision you can make to improve your network. The hardened security and improved user experience provided by X.509 digital certificates is the obvious next step in user authentication.
Does AD CS Replace a PKI?
There’s a little bit of confusion surrounding the purpose and abilities of AD CS. By itself, it is not a PKI. It’s a server role that allows you to configure the necessary components for a PKI such as certificates, certificate authorities, and an enrollment service.
That’s important to note because AD CS is not a plug-and-play PKI solution. It’s more of a DIY PKI, similar to how Microsoft’s NPS is not an enterprise-grade RADIUS server but enables you to build a DIY RADIUS.
The difference is not just semantic. AD CS lacks features that are crucial for efficient PKI management, which harms the overall security of your network.
AD CS Is Not Cloud-Compatible
Most features can be compensated for or compromised on, but the lack of interconnectivity with the cloud should be a deal breaker for every organization.
AD CS was built for use with Active Directory (AD), which is an on-premise only directory. AD CS isn’t compatible with Azure AD, Microsoft’s modern cloud directory, except indirectly through extensions. Even then it requires an on-premise server to be maintained.
There’s no way to use AD CS without an outdated, on-premise AD server sucking time and money. There is no way to effectively connect an AD CS PKI to the cloud, which hugely limits the potential of digital certificates for use in federated authentication – more or less defeating the purpose of a PKI.
AD CS vs Managed PKI
Putting aside the matter of cloud connectivity, it’s important to weigh the pros and cons of an on-premise AD CS PKI compared to a managed PKI.
On-premise options are attractive to organizations because it means that network security responsibility is in-house. For very sensitive data, or situations in which compliance regulations demand it, an on-premise PKI is a necessity.
For just about every other situation, though, a managed PKI is better.
Managed PKI is Significantly More Cost-Effective
Believe it or not, having a third party run your PKI is almost always cheaper than doing it yourself. Here’s a white paper from Digicert that says as much. The inherent scalability of cloud services is part of it, but the bigger savings is in start up costs and staffing.
An on-premise PKI requires experienced IT staff to maintain (especially if you’re using LDAP, which practically all AD environments use). Hiring and training staff to competently handle a PKI is a long, expensive process. Furthermore, the physical hardware required for a PKI will need to be set up in a properly secured server room. The hardware costs are also pretty hefty.
Managed PKI vendors already have infrastructure (and redundancies) in place and the capacity to scale to meet demand. They typically charge per device or user, so you only need to pay for as much as you need.
Managed PKI is More Secure
One of the overlooked benefits of a managed PKI is that it tends to be more secure than the DIY, on-premise implementations.
The biggest reason is that managed PKIs are run by full-time PKI engineers and support staff that actually know what they’re doing. PKI is their whole job, not just another task piled onto a never-ending list of work for the IT guy in the office. They know the ins and outs better than anyone and they’re always up to date on industry news and best practices.
The cloud in general is safer, too. The decentralized nature of the cloud means it is more resilient to natural disasters that could destroy or interrupt on-premise servers. It also makes physical access by hackers virtually impossible – when was the last time someone broke into an AWS server room?
Lastly, the cloud is newer and more robust. In order to use AD CS, you need to use Windows Server 2012. Does that sound dated to you? That’s basically the Iron Age for cybersecurity.
It’s time to return to the present. We’ve had decades to find vulnerabilities in on-premise networks – like the fact that the PEAP-MSCHAPv2 authentication protocol has been cracked, yet people still use it everyday. It’s simply unconscionable to equip your network with faulty protection.
Using a Managed PKI Service Alongside your AD CS Certificate Authority
One thing that is often forgotten is that many PKI solutions can be used in tandem with the popular Microsoft certificate authority. AD CS requires a lot of man hours to configure and setup and even more to maintain. But with a managed PKI service like SecureW2, all the labor-intensive tasks of a homebrew PKI are automated.
For example, SecureW2 makes it incredibly easy to manage your certificates. You can easily search for certificates by username, SAN, operating system, and much more. You can also select individual users and see all their certificates and devices, alongside their certificate enrollment logs, making remote troubleshooting a breeze.
It also significantly improves the certificate enrollment process. SecureW2’s #1 rated onboarding software allows BYOD devices of any operating system to easily self-enroll for certificates. Plus our advanced API gateways empower admins to send payloads that allow managed devices to enroll themselves for certificates in ultra-secure fashion.
In fact, many of our customers use their existing Azure and AD CS infrastructure with our managed PKI services. All of our products are designed to be totally vendor-neutral so we can integrate into your existing infrastructure, and upgrade or replace as needed, to build the PKI that works for you.
Best Managed PKI Replacement for AD CS
Some organizations are still holding on to AD and AD CS because it took so much effort to get it working properly that they’re reluctant to go through the whole process again.
It’s true that implementing a PKI used to be an enormous hassle. Thanks to advancements in cloud computing, that’s no longer the case. If you want to replace your AD CS PKI, SecureW2’s PKI services can be set up in minutes with our AI-driven Getting Started Wizard.
In a few clicks, a custom root and intermediate certificate authority will be generated, alongside base and delta certificate revocation lists, certificate templates, and everything else you could need for ultra-secure certificate security. Plus, it even comes with our world-class CloudRADIUS service, that’s built for certificate authentication!
The great thing is, all our products are incredibly cost-effective. Most organizations save money even when they use it in tandem with AD CS, because of all the helpful time-saving features. Want to know how much you can save? Click here to see our prices.
