Silversands Logo

Silversands Ltd, Albany Business Park, Cabot Lane
Poole, Dorset, BH17 7BX

Customer Portal
Improving the reliability and manageability of certificate services hero image

Improving the reliability and manageability of certificate services

This case study is based on similar deployments for a number of our customers including two utility providers, a housing association, a major river management organisation, a leading stairlift manufacturer and others. 

Technology used :

Microsoft Certificate Services (PKI)

Improving the reliability and manageability of certificate services hero image
What were the challenges?
  • PKI services typically implemented years ago and become ‘unmanaged’.
  • Offline root management can be overlooked
  • Windows Server is an unsupported version
  • Critical services like wifi, VPN and mobile management require certificates
What was the solution?
  • Review requirements and design a new certificate services deployment
  • Utilise Azure to provide security, flexibility and additional capabilities
  • Implement automation to provide scheduled and interaction-free maintenance
  • Implement Azure Monitor to provide proactive alerting
  • Enable integrated Azure Backup to provide simple recovery
What were the results?
  • Azure deployment provides security, manageability, and flexibility
  • Automating offline root management removes CRL expiry issues.
  • Integrated Azure backup provides easy recoverability
  • Azure Portal enables excellent management visibility
  • Azure Monitor provides early warning of certificate issues
  • Certificate requirements for modern solutions like MDM are supported.
  • A much more manageable, available, secure and reliable solution is created, compared to legacy deployments

The Background 

For these organisations, a public key infrastructure (PKI) generally has been in place for a number of years, silently working in the background but not really being managed proactively. This had the potential to result in critical service downtime if certificates stopped being issued or expired. 

In addition to the general threat of service unavailability, several other factors compelled these organisations to review this important service, including the end of life of the deployed Windows Server version, reducing issues with certificate revocation list (CRL) expiry, and a requirement to support new and critical services like mobile device management (MDM), Windows Hello, passwordless authentication, wifi and VPN connectivity, all of which depend on certificates to function. 

Since we have been the primary partner of these organisations for many years, we were asked to help by reviewing and revising each organisation’s PKI configuration. 

Challenges
  • Existing PKI working but unmanaged
  • Potential threat of service unavailability
  • Requirement to support new services like mobile device management and passwordless authentication
<p>With modern services such as mobile device management and passwordless authentication being crucial to an organisation’s operations, supporting services like PKI are a critical component in ensuring 24×7 availability and many legacy certificate services deployments are no longer fit for purpose.</p>

With modern services such as mobile device management and passwordless authentication being crucial to an organisation’s operations, supporting services like PKI are a critical component in ensuring 24×7 availability and many legacy certificate services deployments are no longer fit for purpose.

Pete Holland, Lead Consultant, Silversands

The Solution

The first step in the process was to understand what the requirements were for certificates across the organisations, in terms of which solutions use them, their criticality and any other relevant factors.

Following this analysis and a subsequent workshop, a design was produced for a new PKI solution using Microsoft Certificate Services running on a current Windows Server version.

Whereas options were more limited when PKI services were originally built, these organisations now have access to the Azure platform and take a cloud-first approach to IT solution deployment. Consequently, we were able to make use of key Azure features to build a PKI solution fit for today’s requirements.

Designed around a common two-tier PKI architecture, we deployed two Azure Windows servers in a cluster for the issuing tier and one server for the offline root.

These servers were integrated with the Azure backup service to provide recovery options in the event of a failure or corruption, and, critically, an automation solution was created to manage the offline root by powering it up on a six-monthly schedule to refresh the CRL, back it up to an Azure Key Vault and then power it down. Additionally, the offline root is isolated within the network using Azure’s network security capabilities. Integration with Azure Monitor enabled the service to be proactively monitored.

Finally, the certificate delivery for the organisations was transparently transitioned from the legacy certificate services to the new platform.

Solution
  • Analyse existing deployment
  • Design new PKI platform
  • Build services in Azure
  • Transition from legacy to new platform

The Results 

Although it seems like a relatively simple upgrade, the replacement of the legacy PKI platform has a number of benefits for these organisations: 

  • Deploying in Azure provides several advantages in terms of security, manageability, and maintenance, as well as the option to use additional services like automation and integrated backup.
  • Automating the powering up and refresh of the offline root server, means that the CRL refresh cycle is appropriately managed and there is no risk of CRL expiry causing loss of service across the organisations’ critical services like VPN or wifi connectivity.
  • Azure provides the flexibility to isolate the root server, without reducing the ability to manage it, as can be the case with legacy PKI solutions.
  • The integrated Azure Backup service enables the servers to be fully and easily protected against failure or corruption.
  • Integration with Azure Monitor provides timely notification of any problems with the service.
  • The Azure portal provides an easy way to view the services and spot any issues.

Ultimately, this modern PKI deployment based on Certificate Services running in Azure, provides a much more manageable, available, secure and reliable solution to meet the critical needs of the organisations and will consign certificate-related outages and downtime to history. 

PKI services are typically deployed and then left relatively unmanaged, which can result in unexpected and critical service interruptions if there is a problem. By deploying a modern certificate services solution in Azure, using capabilities such as security isolation and automation, a much more manageable and reliable service can be delivered.

Pete Holland, Lead Consultant, Silversands 

Results
  • Resilient solution deployed in Microsoft Azure
  • Automation reduces manageability issues
  • Azure Monitor provides proactive issue notification
  • Modern services like passwordless authentication are fully supported