Pro Active Directory Certificate Services
Creating and Managing Digital Certificates for Use in Microsoft Networks
This Apress imprint is published by the registered company APress Media, LLC part of Springer Nature.
The registered company address is: 1 New York Plaza, New York, NY 10004, U.S.A.
This book is dedicated to my daughter, Bronwen Ferry Hughes. I taught her C# and networking from an early age. We believe she may have been the youngest person to ever pass the IPv6 Forum’s Certified Network Engineer for IPv6 test. Even though I was the instructor, she legitimately passed the exam at the age of 16. She created most of the diagrams used in the book, and they are beautifully done. She graduated from the Singapore Campus of Oxford Brookes University as Valedictorian and is now working in Texas in IT. My wife and I are both very proud of her.
This book contains two very different parts.
The first part covers the concepts, algorithms, and protocols used in modern cryptography and Public Key Infrastructure (PKI). It covers essentially the same information I taught in the VeriSign training classes (except for the VeriSign-specific content). We charged roughly $1000 a day for a four-day course, so you are getting quite a deal considering the very reasonable cost of this book.
Cryptography is an arcane area of technology that has grown vastly more powerful with the advent of digital computers. One area of it involves scrambling information using algorithms and cryptographic keys to provide privacy, authentication, and detection of tampering. This is used in many kinds of digital communications today. We could not have the modern Internet today without it. TLS (formerly called SSL) is widely used to secure not only web traffic but also email and other protocols. S/MIME can provide true end-to-end encryption and sender-to-recipient authentication in email, although I have also pioneered using it in file transfer.
PKI is a technology developed to do secure cryptography key management, in technologies such as TLS. Public keys must be wrapped in a digital certificate, where the identifying information has been validated. The certificate is digitally signed by a trusted third party (Certification Authority), such as VeriSign. VeriSign is no longer around, but there are other companies doing the same thing today, such as Entrust, DigiCert, and Sectigo. Digital certificates provide trust in cryptographic systems.
The second part of the book explains in detail how to deploy Microsoft’s Active Directory Certificate Services, which is a PKI you can deploy and run in-house, on Microsoft servers. It requires considerable knowledge of cryptography and PKI to run it correctly, hence the first part of this book.
It not only covers deployment of MS AD Certificate Services but also shows how to issue various kinds of digital certificates (TLS Server Certs, TLS Client Certs, S/MIME Certs, and Windows Logon Certs). It also covers examples of using these certs in Microsoft networks.
I would like to acknowledge the many people from whom I have learned cryptography and PKI over the years, especially the technical wizards at VeriSign.
Some 30 years ago, a friend of mine, Winn Schwartau, who has run many Information Warfare conferences over the years, approached me with an opportunity to make the communication software I had created for CP/M and MSDOS encrypt files and chat for the US IRS. We actually delivered a working product (which used a hardware DES board), and they accepted it. Unfortunately, congress never authorized funding for this, so it was never deployed, and the IRS continued sending sensitive financial information in plaintext over phone lines via modems for some time. Hopefully, they fixed this somewhere along the way! However, this got me started in the fascinating field of cryptography (using DES at the time).
I also learned a lot about cryptography from a great book on the subject, Applied Cryptography, by Bruce Schneier (one of my favorite authors on computer security). Thanks for the insight and knowledge, Bruce!
In 1998, I was working for a computer security company called SecureIT, founded by Jay Chaudhry (now CEO of Zscaler). We did white hat hacking plus firewall consulting and training. One of our customers was VeriSign. We made it further into their layers of security than anyone else, and they apparently decided we were safer on the inside than on the outside, so they bought us. They thought since we made great training for CheckPoint Firewall-1, we would be able to make equally great training for cryptography and PKI. Unfortunately, the two areas are quite different and the attempts by our firewall trainers did not go well. I was not a trainer, but I offered to try, since my degree was in math and I had learned at least some cryptography in the IRS project some years before. VeriSign loved what I came up with, and I spent the next two years traveling all over the world, teaching PKI to large customers and affiliates.
Since I was creating the training, I was allowed to ask anyone at HQ any question, and they were required to answer. I was “drinking from a firehose,” learning from literally the top people in the field. I also did very well there with Incentive Stock Options. Those helped me to co-found CipherTrust in 2000 (again with Jay Chaudhry), where I applied much of the technology I had learned at VeriSign.
I would also like to acknowledge the contributions of my two technical reviewers who have made this book better, more technically correct, and easier to understand.
The first half was reviewed by Merike Kaeo. I have known her for some 20 years and consider her one of the top people in the computer security field. She is also a senior advisor at my venture in Singapore, Sixscape Communications Pte Ltd. I am very honored that she was willing to spend some of her valuable time reviewing the first half.
The second half was reviewed by one of my students from my VeriSign days, Hans van de Looy. He is based in the Netherlands and was working for a networking company called Pink Roccade when I met him in my VeriSign training classes there. He is also an elite (white hat) hacker and is well known at DefCon and Black Hat Briefings.
is an internationally renowned expert in cryptography and PKI. He learned PKI from the top people in the field while working at VeriSign. He created and taught the courseware at VeriSign and presented it internationally to affiliates and large customers. He is a security author and was heavily involved in the deployment of several national certification authorities in the UK, Netherlands, and Australia. He later co-founded and was the first CTO at CipherTrust (who created a secure email proxy appliance). In 2014, he co-founded Sixscape Communications Pte Ltd in Singapore where he was responsible for creating much of their technology.
Merike is a senior member of the IEEE, a pioneer member of ISOC and has been an active contributor in the IETF since 1992. She was named an IPv6 Forum Fellow in 2007 for her continued efforts to raise awareness of IPv6 related security paradigms. Merike was appointed to the ARIN Board of Trustees in 2016 to serve a one year term from Jan 1, 2017 to Dec 31, 2017. Since 2010 she has been an active member on ICANN’s Security and Stability Advisory Council (SSAC) and from 2018 thru 2021 served as the SSAC Liaison to the ICANN Board.
Merike earned a MSEE from George Washington University and a BSEE from Rutgers University.