Doing some planning for an AD-integrated PKI lately. Does anyone have experience with services such as GlobalSign’s Auto Enrollment Gateway? (https://www.globalsign.com/en/auto-enrollment-gateway/) Trying to understand alternatives to the traditional AD CS setup and doing everything completely in house. Some key applications would be authentication, IPsec and SCCM. Separately, any recommendations for HSM’s – including network and hosted? Cheers. Darin
- 199 Views
- Last Post 11 November 2015
We use the Thales nCipher HSMs with our Windows-based PKI. No issues with the hardware, and the Thales technical support has been excellent.
I find the lack of cloud services from MS in this space pretty surprising. I would have expected to see PaaS/IDaaS components in Azure for certificate services by now but they don't yet exist. Additionally, I've also been surprised that the Azure Key Vault which features HSM protection has not yet been designed with the required components to allow it to function as a "cloud" HSM for a traditional CA (which might be hosted on prem or in a cloud deployment using the IaaS model).
I'm uncertain if any of these services are coming or not. It makes it a somewhat difficult time to do a PKI planning project but the options you would expect to exist don't really seem to.
I'll also +1 the Thales HSMs. However, for orgs that are looking to go very heavy on the cloud, purchasing proprietary hardware devices doesn't seem to align well to that model.
I agree with Joe. We're rolling out an AD-CS PKI implementation currently, and more than once I've wished I knew Microsoft's intentions about a cloud-based offering in this space. I've tried to hedge our bets in the design, but I have a funny feeling I'll
be ripping out what we deploy and replacing it in not too long a period.
The existence of the Azure Key Vault plus Azure RMS plus the cert that Skype for Business issues plus the Windows 10 device registration cert issued plus likely a few other certs that Microsoft issues for cloud services all point to the need for a single
cloud-based service design ...
That said, I can imagine that if Microsoft wanted to offer such a thing, that it might take quite a bit to get it off the ground and make it compelling when compared with the already awesome feature set that AD-CS provides. But they could take it in bite
size pieces like those that Joe suggests.