What is the Best Open Alternative to Active Directory Certificate Services?

PKI vs. CA

First we need to get a few terms straight.  I have heard the terms public key infrastructure(PKI) and certificate authority(CA) sometimes used in conversation interchangeably.  The difference is that a CA by itself doesn’t perform all of the functions of a PKI.  PKIs contain CAs, but they also have other components like certificate revocation lists(CRLs), online certificate status protocol(OCSP) responders that allow clients a higher degree of certainty when assessing whether or not a certificate is valid, even things like policy, which allows you to specify what kinds of certificates or what attributes can be signed by CAs within the PKI.

What is AD CS?

Active Directory Certificate Services(AD CS) is made by Microsoft and it is what a lot of companies use for their PKI needs.  It works well, gives you nice ways to interact with it and runs on Windows Server.  You can request certificates through a (somewhat ugly) web interface, you can also request/issue certificates through a Microsoft Management Console(MMC),  you can request/issue certificates at the command-line with certutil/certreq.  AD CS even handles things like CRL publishing over FTP or SMB and running an OCSP responder, in concert with IIS.  Even though certificate revocation is utterly broken in the consumer world, many PKI uses in the enterprise, e.g. EAP-TLS, generally require revocation to be ‘working’.

Just as an aside, one of the most bizarre(annoying?) things about AD CS is how it handles private key storage.  By default private keys are non-exportable, meaning that if you request a certificate and it is issued and don’t specify that the private key be exportable, as part of the request, you must issue a new certificate.  Obviously anyone who believes that keys marked as non-exportable can’t be exported is disillusional.  If someone wants your keys badly enough they will get them.

OpenSSL as an Alternative?

OpenSSL is installed on pretty much every machine that I plan to do certificate related things on.  It is a swiss army library that does everything you could ever ask for.  Well… except that, at its heart it really is still a library.  Sure it may have application elements at the edges(if you have never used s_client it will change your life), it can act as a CA, and create CRLs.  To say that this is a somewhat manual process to do all of this, is an understatement.  Is it an alternative AD CS?  Kind of, if you really have to.  OpenSSL is best at other things.

What About Using OpenSSL as a Component in a Larger PKI Software Package?

I looked at many OpenSSL front-ends.  It reminded me of that time I got really drunk interested in OpenLDAP, I found a dozen projects that were started with the best of intentions, most of them looked pretty rudimentary and not feature complete, and the majority hadn’t seen an update in years.  The most promising OpenSSL front end was OpenCA.  It was also the only one I could find that had seen an update in the last 5 years.  I downloaded their latest snapshot(think it was a year old) and attempted to install it on Ubuntu and CentOS, but found myself in a dependency hell.  I did a bit more digging and found out that the project was undergoing a major rewrite…  Maybe I’ll come back and look at that one later.

It had to be Java…

I then tried the creatively named EJBCA.  Not only was this my favorite alternative to AD CS, it was seemingly pretty feature complete and could work as a fairly complete drop in replacement for AD CS.  It can even respond to auto-enroll requests from windows clients.  It can operate at the command-line, has a pretty decent web interface and can help with revocation as well.  It even seemed to have the ability to manage multiple CAs at different levels.  The web interface that a user might see when doing enrollment over the web was much better than AD CS’s.  If anything the number of options and the power EJBCA gives you is almost overwhelming.

Another thing it gave me an opportunity to learn about was JBOSS.  I have used Apache Tomcat a fair bit, but in googling around it seemed that they share a fair amount in common, other than the license, the only major difference was that Tomcat is just a servlet container, JBOSS does that as well as a whole bunch of other enterprise sounding things.

If you want low commitment and just want to kick the tires, they have a fully configured virtual machine that should get you up in running quickly.  Try it out today!

Photo Credit

Leave a Reply