One method of hardening authentication is by using digital certificates. Certificates can increase the security of IPSec, SSL connections, and web server authentication. Implementing such an approach requires a method of creating, distributing, and maintaining certificates. A common approach is to implement a PKI. PKI is a term that refers to the hardware, software, policies, and procedures to manage all aspects of digital certificates. PKI has the reputation of making environments more secure, but this is only true if your PKI components are secure.

The most important component of securing PKI is to ensure all computers that participate are hardened. This is especially true for the Certificate Authority (CA) servers. In addition to hardening CAs like other servers, ensure your CAs are physically secure and only accessible by authorized administrators. Ensure that you back up the CA keys and store them in a safe location. You’ll need these to recover certificate access after restoring from some types of disasters.

Use GPOs to distribute root CA certificates. Using GPOs gives you the ability to control and automate the certificate distribution. To ensure you can track down unauthorized certificate actions, enable auditing for all CA and certificate events. You will probably need to increase the maximum audit log file to store log entries for more than a few days for heavily utilized servers.