Alternative to Microsoft Certification Authority

Users cannot be trusted. Most of them are lazy and choose comfort instead of safety. According to statistics, 21% write down their passwords from work accounts on paper, 50% indicate the same passwords for work and personal services.

The environment is also hostile. 74% of organizations are allowed to bring personal devices to work and connect to the corporate network. 94% of users cannot distinguish a real letter from a phishing one, 11% clicked on attachments.

All these problems are solved by the corporate public key infrastructure (PKI), which provides encryption and authentication of mail, and replaces passwords with digital certificates. This infrastructure can be raised on Windows Server. As described by Microsoft , Active Directory Certificate Services (AD CS) is a server that allows you to create PKI in your organization and use public key cryptography, digital certificates, and digital signatures.

But the solution from Microsoft is quite expensive.

Total cost of ownership for Microsoft's private certification authority

Comparison of the cost of ownership of Microsoft CA and GlobalSign AEG. Source

In many situations, it is more convenient and cheaper to create the same private certification authority, but with external management. This is exactly what GlobalSign Auto Enrollment Gateway (AEG) solves. Several lines of expenses are excluded from the total cost of ownership (equipment purchase, support costs, staff training, etc.). Savings can exceed 50% of the total cost of ownership .

What is AEG

Auto Enrollment Gateway (AEG) is a software service that acts as a gateway between SaaS GlobalSign Certificate Services and the enterprise Windows environment.

AEG integrates with Active Directory, enabling organizations to automate the registration, provisioning, and management of GlobalSign digital certificates in a Windows environment. By replacing internal certification authorities with GlobalSign services, enterprises increase security and lower the cost of managing a complex and expensive Microsoft internal certification authority.

GlobalSign SaaS Certificate Services is a more reliable option than weak and unmanaged certificates on your own infrastructure. Eliminating the need to manage resource-intensive internal CAs reduces the total cost of ownership of PKI, as well as the risk of system crashes.

SCEP and ACME protocol support extends support beyond Windows, including automated certificate issuance for Linux servers, mobile, network and other devices, as well as Apple OSX computers registered in Active Directory.

Increased security

In addition to cost savings, external PKI management improves system security. As noted in an Aberdeen Group study, certificates are increasingly targeted by attackers: they successfully exploit well-known vulnerabilities, such as untrusted self-signed certificates, weak encryption and cumbersome revocation mechanisms. In addition, attackers have mastered more complex exploits, such as fraudulent issuance of certificates from trusted CAs and forgery of certificates for signing the code.

“Most businesses are not actively managing the risks associated with these attacks and are not ready to quickly respond to compromises,” wrote Derek E. Brink, vice president and research security officer at Aberdeen Group. “By providing enterprises with the opportunity to transfer the operational aspects of certificate management into the hands of experts, while maintaining corporate control over group policies in Active Directory, GlobalSign aims to provide future growth in the use of certificates, solving practical security and trust issues in an efficient, cost-effective deployment model.”

How AEG Works

A typical AEG system includes four key components to ensure that the correct certificates are transferred to the correct access points:

  1. AEG software on a Windows server.
  2. Active Directory servers or domain controllers that allow administrators to manage and store resource information.
  3. Endpoints: users, devices, servers and workstations - almost any object that is a "consumer" of digital certificates.
  4. A GlobalSign or GCC certification authority that sits on top of a robust certificate and management platform. This is where certificates are generated.

Three of the four components shown are located in the client’s on-premises environment, and the fourth in the cloud.

First, endpoints are preconfigured using group policies: for example, by checking a certificate for user authentication, an S / MIME request for a certificate, and so on, for subsequent connection to the AEG server. Connection is secure via HTTPS.

The AEG server sends a request to Active Directory via LDAP to obtain a list of certificate templates for these endpoints, and sends the list to clients along with the location of the certificate authority. After receiving these rules, the endpoints reconnect to the AEG server, this time to request actual certificates. AEG, in turn, creates an API call with the specified parameters and sends it to the GlobalSign Certification Authority or GCC for processing.

Finally, the server side of GCC processes the requests, usually within a few seconds, and sends an API response along with a certificate that will be installed on request at the endpoints.

The whole process takes several seconds and can be fully automated by setting endpoints to automatically obtain certificates using group policies.

Unique features of AEG

Architecture Examples

Thus, external PKI management through the GlobalSign AEG gateway means increased security, cost savings, and lower risk. Another advantage is its easy scalability and increased performance. Proper PKI management ensures long uptime, eliminates the interruption of critical operations due to invalid certificates and offers employees remote, secure access to company networks.

AEG supports a wide range of use cases requiring two-factor authentication: from remote workgroup clients accessing the network via VPN and Wi-Fi, to privileged access to highly sensitive smart card resources.

GlobalSign is a global leader in providing cloud and network PKI identity and access management solutions. You can specify more detailed information on products at our managers .


All Articles