Microsoft Active Directory Certificate Services
Microsoft Active Directory Certificate Services (AD CS), through a server that acts like a certificate authority (CA), provides management of certificates that are essential to Public Key Infrastructure (PKI). By utilizing a network connected Futurex HSM, organizations are able to securely expedite the storage, encryption, and signing of certificates.
Greater Security for Certificate Authorities
While Microsoft AD CS provides many benefits for your PKI environment as a stand-alone service, hardware security modules (HSMs) fortify the security of your CA keys in a way that software is unable to. Organizations with existing PKIs, by using a HSM to create new keys, tremendously strengthen the integrity and confidentiality of their data.
Of the services provided by Microsoft AD CS, the most frequent is the use of the server to act as a CA. CAs can:
- Issue and distribute certificates, which confirm the identity of the owner of a given private key
- Clarify certificates’ acceptable use policies
- Revoke certificates through the publishing of certificate revocation lists (CRLs)
- Log certificate requests, issuance, and revocations
Why Incorporate Futurex HSMs?
Poorly managed PKI can expose organizations to numerous vulnerabilities. The cryptographic signing keys of a CA, used as the basis for CRLs, are essential to maintaining a PKI, and as such they are often the target of sophisticated attacks. Without the protection of an HSM, many talented hackers and fraudsters have the capability to manipulate CAs. With compromised CAs, the validity of the certificates issued by them becomes questionable. The Data Protection API (DPAPI) offered by Microsoft provides password protection. However, anyone with access to that password can manipulate and alter the CA.
If organizations utilize Futurex technology to protect CAs, they are backed by cryptographic processors that are compliant with highly rigorous security standards, including FIPS 140-2 Level 3. Futurex HSMs are equipped with physical and logical security measures to ensure security breaches are prevented.
Futurex's solutions are designed for seamless integration and scalable growth. Our simplified integration guide covers how to incorporate an HSM with Microsoft AD CS. Additionally, Futurex technology shares the same Base Architecture Model (BAM), allowing for easy expansions or customizations of existing cryptographic infrastructure.
To summarize, Futurex's support for Microsoft AD CS:
- Seamlessly integrates into existing Public Key Infrastructure
- Increases strength and security of Microsoft solutions
- Eases the burden of regulatory requirements
- Provides FIPS 140-2 Level 3 validated encryption
- Supports a wide range of key character lengths (2048, 3072, or 4096) and hash algorithms (SHA-1, SHA-256, or SHA-512).