Most people in our business knows the purpose of certificates. They can for instance be used for identity and authentication purposes. Two common examples:
- To verify a remote website’s authenticity and encrypt the traffic. Commonly called ‘SSL certificates’
- To authenticate to corporate Wi-Fi/VPN. Commonly called ‘Client Authentication certificates’
So, we use this to identify the authenticity of our web site or connecting user.
Certificates are considered a secure means of authentication. But how are we handling these identities?
In user management, we normally have a procedure where we disable the user account on the day the user leaves the company. We may also reset their password as an extra mean of security.
If a computer gets stolen, we normally disable/delete the computer account (and probably reset the user account password).
Are we good now? As you might expect, the answer is NO.
The user credentials on the stolen client are no longer valid since you changed the password on the user. But did the user have a certificate as well? Did you process that?
Even if you change the password and log the user out of every application, the certificate is still a valid user credential in itself. It is still valid for VPN or Wi-Fi access. Some systems do not even check against AD/AAD for a matching identity object, as long as the certificate is issued by a trusted CA (Certification Authority).
To remedy this issue, you need to revoke the certificate. Make it invalid for usage. This can be done in several ways depending on your needs. For a small organization, it might be OK to do this process manually when retiring a user account or computer. But as the organization grows, this quickly becomes unmanageable.
At Onevinn, we developed a plugin for the Microsoft ADCS: ADCS-ACR
With this plugin, Revocation of certificates can be automated based on the state of AD objects they represent, among other features.
Do you want to take control of you certificate based environment? Contact us!