Disclaimer: This review contains my personal opinion about the book and does not necessary reflect the company’s or other people opinion.
Hello everyone, today I have a little-bit unusual blog post, which is a book review. As you may know, my primary interest area is Microsoft Active Directory Certificate Services (ADCS) and it there are not so many books about this complex security product suite. Among others, there is one precious gem called Windows Server 2008 PKI and Certificate Security by Brian Komar. As of 2022, it is still the most comprehensive, authoritative and up to date (despite it is almost 15yrs old and certain things are outdated) book about ADCS and is a Windows PKI Bible. Since the book is relatively old and ADCS product is slowly, but still evolving by introducing enrollment web services, key attestation and other features which are not covered in Brian’s book. Several attempts were made to fill these gaps or otherwise improve his book. I’m often looking for new books about ADCS and see how good they are comparing to Brian’s book. Recently, I’ve received a book about the topic: Pro Active Directory Certificate Services: Creating and Managing Digital Certificates for Use in Microsoft Networks and would like to review it. Let’s go!
About the author
I will quote the book:
Lawrence E. Hughes is an internationally renowned expert in
cryptography and PKI. He learned PKI from the top people in the field
while working at VeriSign. He created and taught the courseware at
VeriSign and presented it internationally to affiliates and large customers.
He is a security author and was heavily involved in the deployment of
several national certification authorities in the UK, Netherlands, and
Australia. He later co-founded and was the first CTO at CipherTrust (who
created a secure email proxy appliance). In 2014, he co-founded Sixscape
Communications Pte Ltd in Singapore where he was responsible for
creating much of their technology.
This gives me an impression that the author is knowledgeable in PKI field person with strong real-world experience from VeriSign. I’m putting no doubts here.
The book mainly consist of two parts:
- Foundations in Cryptography, Digital Certificates, and PKI
- Deploying and using Active Directory Certificate Services
where each part is divided into relevant chapters and appendix.
Part 1: Foundations in Cryptography, Digital Certificates, and PKI
First part includes vendor independent concepts about PKI fundamental:
- Cryptography fundamentals: symmetric and asymmetric keys and functions, hash functions, digital signatures and their properties
- Common X.509 objects: certificates, CRLs, requests, related PKCS standards
- Common certificate management protocols, such as CMC, SCEP and ACME
- PKI fundamentals: CAs, hierarchies and chains
- Commonly used applications: modern TLS, code signing and S/MIME. Each use case application got their own chapter
What is good in Part 1?
First of all, I found chapter sequence well structured and connection between chapters. The book moves from basic blocks to bigger and composite blocks. For example, in first chapters you get information about cryptographic functions and then switched to bigger structures that utilize underlying functions altogether and so on.
Very good level of detalization. The book doesn’t dive deeply into boring math apparatus or extreme details, while not missing key properties or other important information about every covered topic. Author kept a good balance between details and practical usefulness.
What is not good in Part 1?
This part includes a screenshots and usages of several 3rd party tools, such as IDWallet, SixWallet and some unknown tool (Chapter 1) without any references where I could obtain the tool. Google search suggested that they (ID Wallet and SixWallet) are proprietary tools of the company the author is affiliated with. The fact that tools are developed by the author or affiliated company is not a problem itself. The problem is that there are no references and these tools doesn’t appear to be commonly used by PKI admins. Limited trial versions are potentially available upon individual request via email. No pricing and licensing information was found in public sources. While reading the book with some examples, I tend to go with author and try to repeat steps or get similar experience showed in the book. I was not able to do this, because tools are not available for immediate download and evaluation. And online references to these tools are certainly required. This is the only serious downside of the first part.
Part 2: Deploying and using Active Directory Certificate Services
Second part includes practical examples on acquiring and utilizing PKI using Microsoft ADCS, including:
- 2-tier PKI building with Microsoft CA
- Different certificate type enrollment, installation and usage: TLS server and client certificates, S/MIME and Windows Logon certificates
What is good in Part 2?
Unfortunately, there are not so many good things I could tell about second part. Author followed extremely simple “Next –> Next –> Finish” approach which allows you to quickly repeat these steps and get similar results given the 440.p. book limits.
What is not good Part 2?
As I mentioned above, the author used “Next –> Next –> Finish” approach and ignored any best practices. Some instructions are not only not recommended, but rather are harmful. Here are several critical points:
- 2-tier PKI deployment consists of Enterprise (domain-joined) Root and Subordinate CAs. It can be useful when you need to build a quick lab, nothing else. You certainly will not use this setup in production environments and many deployment steps will be very different from what is shown in the book.
- Every CA includes installation of legacy CA Enrollment Web Pages which should be discouraged even in test labs.
- Chapter 14 includes Online Certificate Status Protocol (OCSP) service installation. However the process is incomplete. That is, role is only installed and not configured. CA is not configured to include OCSP URLs in issued certificates. In my opinion, this section should be either omitted completely, or minimal configuration process must be covered (which would add several dozens of pages) to make OCSP useful.
- Author uses unusual process for obtaining Windows Logon certificate with smart card: first, certificate is enrolled to software store, then exported to PFX and then imported to smart cards. This flow is not used in practice, because the key was generated outside of smart card, thus key security is not improved when using smart card, the copy of private key material is still stored elsewhere.
Special notes on certificate template configurations:
- Author instructs to select “Publish certificate to Active Directory” checkbox on all custom certificate templates, which is not only unjustified, but it is harmful. You never publish authentication or signing certificates (except S/MIME which enables key/data encipherment key usage), because there is no process that uses them in AD. Given that one certificate is around 1-2kb in size, 1k of certs easily adds 2+MB to Active Directory database (ntds.dit), thus increasing replication size, reducing AD performance and this size only keeps growing with no practical value.
- Custom template is created for TLS Server certificate and subject source is set to “Build from AD”. This is weird, because normally not all machines act as TLS server and TLS servers often include custom names, thus in these use cases subject is explicitly set in incoming request. If there is a requirement to make every device to act as TLS server, then it would be reasonable to use built-in “Computer” template, which enables required EKU values and proper subject type with no modifications.
- During every certificate enrollment, author instructs to go to request properties and select “Make private key exportable” checkbox. Some time ago, I wrote a blog post where I covered use cases when this option is useful/desired and when it is redundant: The case about exportable keys. The only certificate which can have exportable private key is S/MIME certificate if it is used to receive encrypted emails. Not for other certificate types.
- In S/MIME certificate template, Subject tab, author instructs to enable two alternative names: RFC822 (which is correct) and UPN. S/MIME doesn’t understand the UPN name syntax, nor use it in any way thus it is redundant.
- Permission assignment strategy on newly created certificate templates is simple: grant “Authenticated Users” Read and Enroll permissions. Although author mentions that you can grant permissions to desired principals, it would be extremely useful to add one paragraph to note that individuals SHALL NOT be granted permissions on templates, custom global groups must be used instead.
Overall impression about Part 2 was either, the author is not very strong in ADCS (which doesn’t look like the case), or the book size/audience put certain limitations (which is most likely) and reviewers didn’t do their job as expected.
In overall, Part 1 was useful reading to me and I envision it will be useful to both, unexperienced and experienced PKI admins. New PKI admins will get structured knowledge about concepts/fundamentals without burning their head with new cryptic stuff. Like I said, the good balance between details and useful information makes this book a good entrance into PKI world. Experienced PKI admins will find Part 1 useful to recap certain aspects of PKI. For example, I consider myself an experienced PKI admin and sections about EST and IRP certificate management protocols were new to me. So Part 1 is a win for the book. I was greatly disappointed by Part 2, because it is really poor from almost every standpoint except quick “Next –> Next –> Finish” to demonstrate something. In real world it is not enough and you will have to forget almost everything what you’ve learned in Part 2.
Not a technical aspect, but can be important: the book uses larger font size that will benefit your eyes while reading.
Would I recommend this book? Well, if we forget about the existence of Part 2, then the book is useful as a quick PKI fundamentals reference, but certainly not at the listed price and won’t match advertised title.
You may get an impression that my aim here is to criticize the book or the author. It’s certainly not. I’ve spent more than decade on public boards/forums to assist people with their problems in PKI and during this timespan I’ve faced hundreds of questions that are results of poor advices, recommendations and books. I often see questions like “I’ve followed the XYZ guide and it doesn’t work for me. Why and what I’m doing wrong?”. And almost always this is because the referenced guide was poorly written and require serious modifications to make it working. It is not uncommon when people new to certain technology (not only PKI) read the book or follow tutorial and attempt to replicate the process in their test labs to get some practice experience. I’m not an exception. And it is vital to build the guides by following at least some best practices or provide information (or include external links) about best practices articles while using faster approach for brevity. Many books fail in this aspect, unfortunately.