Description
Key Focus Areas:
Enterprise PKI Architecture
Certificate Lifecycle Automation
TLS Encryption & Identity Trust
Zero Trust Security Foundations
OCSP & Revocation Management
GPO-Based Autoenrollment
Executive Summary
Architected an enterprise Public Key Infrastructure (PKI) platform using Microsoft Active Directory Certificate Services (ADCS), establishing a secure identity and encryption foundation for internal enterprise services through a hardened two-tier certificate authority hierarchy.
The architecture introduces an offline Root Certificate Authority as the protected trust anchor, a domain-integrated Enterprise Issuing CA for scalable certificate operations, automated certificate lifecycle management through GPO-based autoenrollment, centralised trust distribution via Active Directory, and real-time certificate revocation validation through a dual CRL and OCSP model.
The design demonstrates how internal PKI infrastructure functions as a critical foundational layer for enterprise security — enabling TLS encryption, certificate-based authentication, and the identity trust mechanisms required by Zero Trust security architectures — while eliminating dependency on external certificate authorities for internal workloads.
Business Drivers
Modern enterprise infrastructures depend on trusted identities, encrypted communications, and certificate-based authentication to secure internal systems and services. Organisations without a centralised internal PKI platform face compounding operational and security challenges as environments scale and compliance requirements intensify.
Key drivers include:
Fragmented certificate management with limited visibility into the full certificate estate and trust relationships
Manual certificate lifecycle processes creating operational overhead and uncontrolled expiry risk at scale
Dependency on external certificate authorities for internal workloads — increasing cost and reducing operational control over internal trust chains
Inconsistent TLS encryption enforcement across internal services creating compliance exposure
Weak internal identity trust models unable to support certificate-based authentication for VPN, 802.1X, or Zero Trust access controls
Compliance and audit challenges due to absent certificate lifecycle governance and auditability
Difficulty scaling certificate-based authentication as Zero Trust adoption requires certificates across broader workload and identity categories
Operational Constraints
The architecture was designed to operate within the following constraints typical of enterprise Active Directory environments:
The Root CA trust anchor requires maximum isolation — any compromise of the root invalidates the entire PKI hierarchy and all certificates issued under it
Certificate issuance processes must scale to serve enterprise workloads without manual intervention per certificate request
Revocation validation must provide low-latency verification — CRL-only models introduce unacceptable download and parsing latency at scale
Internal services require standardised TLS encryption with consistent certificate template governance across workload categories
Certificate enrollment and renewal must be automated through existing Active Directory and Group Policy infrastructure without additional client-side tooling
Cryptographic standards must meet current enterprise security requirements and remain viable across the planned PKI operational lifetime
Security controls must align with enterprise governance and compliance requirements including audit traceability of certificate operations
Objectives
Design and deploy a hardened two-tier PKI hierarchy with clear separation of trust responsibilities between Root CA and Issuing CA
Establish a protected offline Root CA as the foundational and isolated trust anchor of the enterprise
Enable TLS encryption across internal enterprise services through standardised, template-governed certificate issuance
Automate certificate enrollment and renewal through GPO-based autoenrollment at enterprise scale
Implement real-time certificate revocation validation through OCSP beyond CRL-only validation models
Strengthen identity trust models supporting certificate-based authentication across VPN, 802.1X, and internal services
Reduce operational dependency on external certificate providers for internal enterprise workloads
Establish PKI as the cryptographic foundation layer supporting Zero Trust authentication and encryption architectures
Standardise certificate governance, key usage constraints, and lifecycle management across the enterprise estate
Architecture Principles
Protection of the root trust anchor through physical and logical isolation as a non-negotiable design requirement
Separation of trust hierarchy responsibilities — Root CA exclusively signs subordinate CA certificates, never end-entity certificates
Automated certificate lifecycle management eliminating manual enrollment and renewal operational overhead
Identity-driven trust enforcement through Active Directory-integrated certificate services and GPO propagation
Real-time certificate validation through OCSP reducing revocation checking latency beyond CRL-only models
Least-privilege administrative access across all certificate authority management and administration functions
Template-driven certificate governance standardising key usage, validity periods, and issuance policies per workload category
Secure-by-default encryption enforcing current cryptographic standards across all issued certificates
Scalable trust distribution leveraging existing Active Directory and Group Policy infrastructure without additional client tooling
Architecture Overview
The solution is structured as a five-layer enterprise PKI platform integrating the root trust anchor, certificate issuance, trust distribution, revocation validation, and application-layer certificate consumption.
1. Root Trust Layer
The root trust layer is implemented as an air-gapped, offline Root Certificate Authority — the foundational trust anchor of the entire PKI hierarchy.
Key characteristics:
Air-gapped deployment with no network connectivity in operational state
Non-domain-joined configuration eliminating exposure to Active Directory-level compromise scenarios
Offline operational model — the Root CA is activated exclusively for subordinate CA certificate signing operations and returned to offline state immediately after
Exclusive use for signing the Enterprise Issuing CA certificate — never used for direct end-entity certificate issuance
Minimal administrative exposure through strict role-based access controls and documented operational procedures
The offline Root CA design reflects a fundamental PKI security principle: a compromised Root CA invalidates every certificate issued under the entire hierarchy — and every system trusting that hierarchy. Maximum isolation is the only appropriate security posture for this component. There is no operational justification for keeping the Root CA online in a standard enterprise deployment.
2. Issuing Layer
The issuing layer leverages a domain-integrated Enterprise Issuing CA responsible for all end-entity certificate operations within the enterprise.
Capabilities:
Domain-joined configuration enabling Active Directory integration for autoenrollment, trust distribution, and subject name resolution
Certificate issuance and lifecycle management for all enterprise certificate consumers across workload categories
Certificate template enforcement defining permitted key usage, validity periods, subject name formats, and enrollment permissions per certificate type
Integration with Active Directory for subject name resolution and security group-based enrollment authorisation
CRL and OCSP infrastructure hosting for real-time revocation validation services
AIA and CDP extension configuration ensuring all issued certificates contain correct validation URLs
The Issuing CA is the operational centre of the PKI platform — handling all day-to-day certificate operations while the Root CA remains isolated offline.
3. Trust Distribution Layer
Certificate trust distribution and propagation are implemented through Active Directory and Group Policy, ensuring consistent trust anchor deployment across all domain-joined systems without manual client configuration.
Active Directory Integration:
Automatic publication of Root CA and Issuing CA certificates to the Active Directory certificate store containers and NTAuthCertificates store
Automatic trust propagation to all domain-joined Windows systems through AD DS certificate distribution
Certificate publication ensuring CRL and OCSP URLs remain consistently accessible to all certificate consumers across the enterprise
Group Policy Autoenrollment:
Certificate autoenrollment configured through Computer Configuration and User Configuration GPO settings
Automatic certificate issuance to eligible computers and users based on template permissions and security group membership
Automatic certificate renewal triggered before expiry without user or administrator intervention
Standardised trust deployment ensuring consistent Root CA and Issuing CA trust propagation across the full domain estate
GPO-based autoenrollment eliminates the operational overhead of manual certificate management at enterprise scale — a critical capability for environments with hundreds or thousands of certificate consumers across multiple workload categories.
4. Validation Layer
Certificate validation services are implemented using both CRL Distribution Points and an OCSP Responder, providing a tiered revocation validation model balancing compatibility and performance.
CRL Distribution Points:
Base CRL published on a scheduled interval providing complete revocation status for all issued certificates
Delta CRL published on a shorter interval providing incremental revocation updates between base CRL publications
CRL hosted on IIS-based HTTP distribution points accessible to all internal certificate consumers
CRL URLs embedded in all issued certificates through the CDP extension at issuance time
OCSP Responder:
Real-time certificate revocation status responses significantly reducing validation latency compared to CRL download and parsing
OCSP responses signed by a dedicated OCSP signing certificate issued by the Issuing CA
OCSP URLs embedded in all issued certificates through the AIA extension at issuance time
Better suited than CRL-only models for high-frequency validation scenarios including web services, VPN authentication, and 802.1X network access
The dual CRL and OCSP model provides both broad client compatibility through CRL and performance-optimised real-time validation through OCSP — addressing the full range of certificate consumer validation requirements across the enterprise.
5. Application Layer
The PKI platform serves multiple enterprise certificate consumption scenarios across internal workloads, authentication systems, and security services.
Internal TLS Encryption:
Web Server certificates for IIS-hosted internal HTTPS applications and services
Internal API services requiring encrypted communication between service components
Remote Desktop Services TLS certificates replacing self-signed default certificates
Network Access & Authentication:
Computer certificates for 802.1X network access authentication for domain-joined workstations
Certificate-based VPN client authentication replacing password-based credential models
Smart card and certificate-based user authentication for privileged access scenarios
Infrastructure Services:
LDAPS TLS-secured LDAP communication between domain controllers and LDAP consumers
S/MIME email signing and encryption for sensitive internal communications
Code signing certificates for internal application and script integrity validation
Architecture Diagram
Technologies Used
Category | Technologies |
|---|---|
PKI & Identity Infrastructure | Microsoft Active Directory Certificate Services (ADCS) |
Certificate Authorities | Offline Root CA, Enterprise Issuing CA |
Directory Services | Active Directory, Group Policy (GPO) |
Web Services | Microsoft IIS |
Validation Services | CRL Distribution Points, OCSP Responder |
Automation & Administration | PowerShell, certutil, certreq |
Compliance Frameworks | NIST SP 800-57, CIS Controls v8, Zero Trust Architecture principles |
Key Challenges Addressed
Protecting the root trust anchor from compromise — addressed through air-gapped, non-domain-joined offline Root CA deployment that is activated only for subordinate CA signing operations, eliminating network-based attack vectors against the foundational trust anchor.
Managing certificate lifecycle operations at enterprise scale — addressed through GPO-based autoenrollment automating certificate issuance and renewal across all eligible computers and users without per-certificate manual intervention.
Ensuring real-time certificate revocation validation — addressed through OCSP Responder deployment providing lightweight, low-latency revocation status responses beyond the download-and-parse overhead of CRL-only validation.
Standardising certificate usage across internal services — addressed through template-driven certificate governance defining permitted key usage, validity periods, and enrollment authorisation per workload category, preventing uncontrolled certificate issuance outside defined policies.
Integrating certificate trust with Active Directory environments — addressed through Active Directory-integrated Issuing CA configuration and GPO-based trust propagation, leveraging existing domain infrastructure for consistent trust distribution without additional client-side tooling.
Enforcing consistent internal encryption standards — addressed through certificate template configuration enforcing minimum cryptographic standards across all issued certificates, preventing issuance of certificates below defined security thresholds.
Design Decisions & Rationale
Offline Root CA Architecture : The Root CA was isolated offline to protect the foundational trust anchor of the PKI hierarchy. An online Root CA — even with network access controls — remains exposed to network-based attack vectors. An offline Root CA eliminates this exposure entirely. The operational cost is minimal: the Root CA is required only when signing Issuing CA certificates, which occurs infrequently across the PKI lifetime.
Enterprise Issuing CA with Active Directory Integration : Domain integration enables automated certificate operations, centralised trust management, and scalable lifecycle governance through existing Active Directory infrastructure. A standalone Issuing CA would require manual trust distribution and separate enrollment mechanisms — increasing operational overhead without improving security.
OCSP-Based Real-Time Validation : CRL-only revocation validation requires clients to download and parse complete revocation lists — introducing latency and bandwidth overhead that scales poorly in high-frequency validation scenarios. OCSP provides lightweight, per-certificate status queries with real-time responses, significantly improving validation performance for web services, VPN, and 802.1X authentication workloads.
GPO-Based Autoenrollment : Manual certificate enrollment at enterprise scale is operationally unsustainable and creates inconsistency in certificate coverage. GPO-based autoenrollment automates issuance and renewal for all eligible endpoints — ensuring consistent certificate coverage, eliminating manual intervention overhead, and preventing service disruption from unmanaged certificate expiry.
Template-Driven Certificate Governance : Uncontrolled certificate issuance without template governance creates inconsistent cryptographic standards, inappropriate key usage assignments, and audit challenges. Certificate templates standardise issuance policies, enforce key usage constraints, and define validity periods per workload category — establishing consistent and auditable cryptographic governance across the enterprise.
Internal PKI over External Certificate Authorities : External certificate authorities for internal workloads introduce unnecessary cost, dependency on third-party trust chains, and reduced operational control over internal trust relationships. An internal PKI platform provides complete control over certificate issuance, revocation, and lifecycle governance while reducing long-term certificate management costs and eliminating external CA dependency for internal services.
Trade-offs & Design Constraints
Offline Root CA Operational Complexity : The offline Root CA model provides maximum trust anchor protection but introduces operational complexity for Issuing CA certificate renewal — a process that occurs infrequently but requires documented procedures, physical access controls, and careful execution. Organisations must maintain documented offline Root CA operational procedures and ensure they remain accessible and executable when required, typically every 5–10 years for Issuing CA renewal.
Single Issuing CA — Availability Risk : A single Enterprise Issuing CA represents a single point of failure for certificate issuance operations. If the Issuing CA becomes unavailable, new certificate requests and renewals cannot be processed. Production enterprise deployments should evaluate a redundant Issuing CA configuration for environments where certificate issuance availability is operationally critical.
HSM Integration Absent : This architecture does not include Hardware Security Module (HSM) integration for Root CA or Issuing CA private key protection. Software-stored CA private keys — while protected by the offline Root CA model — provide lower cryptographic assurance than HSM-backed key storage. For organisations with high-assurance requirements (financial services, government, critical infrastructure), HSM integration should be considered a production deployment requirement rather than a future enhancement.
GPO Autoenrollment Limited to Domain-Joined Systems : GPO-based autoenrollment applies exclusively to Active Directory domain-joined Windows systems. Non-domain-joined systems, Linux endpoints, network devices, and cloud-native workloads require alternative enrollment mechanisms — SCEP, EST, or manual request workflows — creating operational inconsistency in certificate coverage across heterogeneous environments.
Certificate Revocation Propagation Latency : Despite OCSP providing real-time revocation status, CRL-based revocation status propagates on the configured publication interval. In environments where CRL-only clients exist, revoked certificates may remain trusted until the next CRL publication and client download cycle. Organisations with strict revocation requirements should ensure OCSP is supported across all critical certificate consumers and monitor CRL publication intervals accordingly.
Projected Outcomes
The architecture is designed to deliver the following operational and security outcomes in a production enterprise environment:
Trusted enterprise certificate authority hierarchy established as the internal cryptographic foundation
Enterprise-wide TLS encryption enabled for internal services through internally-governed certificate issuance
Automated certificate enrollment and renewal eliminating manual lifecycle management overhead
Improved trust visibility and lifecycle governance through template-driven and Active Directory-integrated certificate operations
Reduced dependency on external certificate providers for all internal workload certificate requirements
Enhanced compliance readiness through auditable certificate issuance, revocation, and lifecycle governance
Real-time certificate revocation validation capabilities through dual CRL and OCSP infrastructure
Scalable PKI foundation supporting Zero Trust authentication architectures including 802.1X, VPN, and certificate-based identity
Future Evolution
Hardware Security Module (HSM) integration for Root CA and Issuing CA private key protection at highest-assurance environments
Cloud-native certificate lifecycle automation through integration with Azure Key Vault and certificate management APIs
Certificate monitoring and expiration analytics dashboards providing visibility into estate-wide certificate health
Short-lived certificate deployment models reducing reliance on revocation infrastructure through reduced certificate validity windows
Infrastructure as Code deployment automation through PowerShell DSC or Terraform for consistent, repeatable PKI deployment
Kubernetes certificate management integration through cert-manager for cloud-native workload certificate automation
Advanced identity federation integration supporting cross-forest and cross-domain certificate trust scenarios
Automated compliance reporting for certificate governance, cryptographic standard adherence, and lifecycle SLA tracking
Key Takeaways
PKI infrastructure is foundational to enterprise identity and encryption strategy — it is the trust backbone that certificate-based Zero Trust architectures depend upon
Protecting the Root CA trust anchor through offline isolation is the single most important PKI security decision — there is no operational justification for keeping a Root CA online in a standard enterprise deployment
Automated certificate lifecycle management through GPO autoenrollment is essential at enterprise scale — manual enrollment creates coverage gaps and expiry risk that grows with environment complexity
OCSP-based real-time validation significantly improves revocation performance over CRL-only models — particularly for high-frequency validation scenarios in web services and network access control
Template-driven certificate governance is not optional — uncontrolled certificate issuance creates cryptographic inconsistency, audit challenges, and compliance exposure
HSM integration for CA key protection should be treated as a production requirement for high-assurance environments, not a post-deployment enhancement
Internal PKI platforms improve governance, operational control, and long-term cost efficiency compared to external certificate authority dependency for internal workloads