Welcome back! In this final part of my AD CS series, Iβll focus on something often overlookedβbut critical: securing and maintaining your Enterprise Certificate Authority.
An improperly secured CA can lead to a full Active Directory compromise. So hereβs what I always do to harden, monitor, and back up my CA environment.
𧱠1. Harden the CA Server (Baseline Security)
π§° Core Steps I Always Follow:
- β Remove unnecessary roles β CA should be a dedicated box
- β Disable Internet access (except for CRL/OCSP publishing if needed)
- β Apply latest Windows updates
- β Use static IP and DNS
- β Remove user logins (only admins allowed)
- β Turn off SMBv1, legacy protocols
- β Enable Windows Firewall and restrict inbound rules
π 2. Lock Down CA Permissions
π§ Certification Authority Console > Properties > Security
- Only allow:
- Domain Admins or PKI Admin Group
- Authenticated users β only Read & Enroll (no Manage)
- Disable “Everyone” or “Domain Users” if present with high privileges
- Enable Auditing for
Issue and Manage Certificates
π 3. Enable Auditing for CA Activity
π Audit who requests, issues, revokes, or changes cert settings
- Enable audit policy:
- Run
secpol.mscβ Local Policies β Audit Policy - Enable:
- Audit object access
- Audit privilege use
- Audit policy change
- Run
- Then on the CA:
- Open CA console β Properties β Auditing tab
- Check:
- Issue/revoke certificates
- Start/stop services
- Change CA config
π Review logs under Security Event Log and CA logs for anomalies.
π§― 4. Backup CA Configuration
This is mission-critical. I always schedule regular backups using the built-in tools.
π Backup Steps:
# Export CA database and private key
certutil -backupdb "D:\CA_Backup"
certutil -backupkey "D:\CA_Backup"Also, export the CA certificate and private key using MMC > Certificates (Local Computer) > Personal > Export.
π I keep:
CA databasePrivate keyRegistry settings(HKLM\SYSTEM\CurrentControlSet\Services\CertSvc)CRL/AIA/OCSP configuration
π‘ I store backups offline or in a secure vault (not on the CA itself).
π 5. Test CA Recovery (Once per year minimum)
I simulate a CA disaster recovery scenario using:
- A VM snapshot or cloned lab CA
- Importing backup DB + key
- Ensuring issued certificates still validate
π§ͺ This ensures business continuity if the CA ever fails or gets compromised.
π 6. Publish CRLs & AIA to Secure, Redundant Locations
- Use internal IIS or DFS shares
- Configure CRL Distribution Points (CDPs) in:
http://pki.domain.local/CRL/ca.crl
- Use multiple CDP URLs for HA
- Protect CRL files with strict NTFS permissions
π 7. Offline Root CA? Even Better!
For high-security environments, I deploy:
- π₯οΈ Offline Root CA (only used once every few years)
- π Online Subordinate Enterprise CA (day-to-day operations)
This isolates the trust anchor and reduces attack surface.
π‘οΈ 8. Optional but Recommended Security Features
| Feature | Description |
|---|---|
| HSM (Hardware Security Module) | Store CA private key in tamper-proof hardware |
| EFS/BitLocker | Encrypt private key and backups |
| TPM-backed keys | On modern servers |
| Certificate Manager restrictions | Limit who can approve/revoke requests |
| Split admin model | Separate issuing CA admins from domain admins |
π Final Checklist
β
Harden OS and network
β
Limit and audit CA access
β
Backup CA regularly
β
Configure CRL and OCSP securely
β
Test recovery procedures
β
Consider Root CA isolation
β
Monitor logs and events weekly
π§ Wrapping It Up: The Full AD CS Journey
Youβve now walked through a full Enterprise PKI deployment with me:
π AD CS Blog Series Recap:
- β Introduction to AD CS
- β Installing the Enterprise Root CA
- β Creating and Publishing Certificate Templates
- β Enabling Auto-Enrollment via Group Policy
- β Issuing SSL Certificates to Web Servers
- β OCSP and Revocation Checking
- β Hardening and Auditing the CA