Podcast
Root Causes 443: Is MSCA Going Away?
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
December 2, 2024
In this episode we discuss the challenges for enterprises using Microsoft Active Directory Certificate Services (ADCS).
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanIs MSCA going away?
Jason SorokoKind of. Look, we're talking about Microsoft Active Directory Certificate Services.Tim CallanYes. You're right. The word MSCA, in principle, has gone away. Although everyone still uses it.Jason SorokoI still use it. Everybody still uses it. So it's been around an awfully long time. We're talking about on-premise PKI, implemented, usually years ago, for the Windows stack of technologies. What is it really good at? It is good at getting a cert into something that is domain attached, and it just does that all day long. Well, guess what? What of mine right now, if I ask myself, what is Windows domain attached?Tim CallanLaptops?Jason SorokoOnly partially even. So even with my Windows-based laptop for issued from work, I'm only domain attached, really, for short periods of time. Everything else is on a whole other stack, whether it's in the cloud, Linux, whether it's my iPhone or sometimes I'm running on Android. I'm not on Microsoft stack. And so, you and I have done podcasts on the limitations of Microsoft CA. All right. Will it go away? Why are we asking that question? The question is being asked because it's long in the tooth.
Microsoft, relative to all of its other technologies, especially security technologies, has not put in a lot of investment into it. You and I, during these wonderful Toronto sessions, podcasts, have called out visibility as being the crown of Certificate Lifecycle Management, and it's maybe one of the biggest weaknesses. I called it a strength of MSCA. I'm going to call its biggest weakness is visibility.
Therefore you could have an obsolete certificate profile set up. How would you know it? You wouldn't know. And is the visibility of your certificate issuance really available in a modern governance program right now with that? Unless you've homegrown something - which you probably haven't - the answer is no.
Therefore, should you get rid of Microsoft CA? Should you rip and replace? I'm going to answer to that right now – no. I don't think you have to rip and replace. I think there's big advantages if you do, but I completely understand the pain of people who choose not to. However, let me give you two options before you rip and replace.
Give you two options. Modern Certificate Lifecycle Management can augment Microsoft CA.
Tim CallanYou wrap it around Microsoft CA.Jason SorokoYou wrap it around Microsoft CA, and therefore all these problems of visibility – gone. All these problems around, hey, I want to issue certs to the things that aren't domain attached. No problem. We can handle that in a modern Certificate Lifecycle Management System. Let me offer you a second one. That's a whole storyline that you really if you are having problems with your Microsoft CA, or you want to go modern, that, to me, is like option one. Come to us, and we'll talk about it. But I'll offer you number two, Tim, and this is the more interesting one in answering your question. Will it go away completely? Here's where it doesn't have to, and you can minimize the risk of the elephant in the room for Microsoft CA, which is, does Microsoft have a post-quantum plan for Microsoft CA?
Tim CallanNot that I know of.Jason SorokoNot that I know of either. My goodness, if you're somebody from Microsoft who knows otherwise, for heaven's sakes, correct us. Because I want to tell the truth. Right now, I think the truth that I understand is that there is no plan for post-quantum in Microsoft CA. Ow!Tim CallanSo, in that kind of time frame, that sort of settles that one. Well, and this is also a bit of a forward forcing function. If you go back to saying Microsoft CA is kind of long in the tooth and it's not really heavily invested in, it's a real different decision from a roadmap management perspective to say, look, I've got this thing. It basically works. It has its limitations. People can choose to use it or not as they will, and I'm going to keep it alive, versus saying, I have this thing that has been fundamentally compromised by advances in computing, and I either need to make the heavy investment to make it current, or sunset it, or leave this basically dangerous thing out in the wild. Those are two very different questions, and they could have very different answers.Jason SorokoLook, Tim, if, if you are a Systems Administrator that involves Microsoft Certificate Services, Microsoft ADCS, and you haven't kept up on things such as the attacks and misconfiguration issues that have plagued MSCA, if you're not aware about these things, we have podcasted about this, and we'll put that in the show notes for you to be able to click on and check out, but there are ways to evaluate your configuration to see whether or not you've exposed things incorrectly with Microsoft CA, or, how aware are you of the fundamental flaws in Active Directory that are not fixed unless you go to Azure AD. There's a completely different world, and MSCA doesn't exist there. So, problems with AD, configuration problems especially with MSCA, where's the quantum plan? You can augment. You don't have to rip. Because I know a lot of people who are very invested in MSCA are invested in it because, well, I spent a lot of years getting my GPOs just right, and I don't want to rewrite them. I hear you, but just understand the risks of having that thing running still.Tim CallanNobody is really setting up a new MSCA today.Jason SorokoIf you are, get a hold of us. I'd love to talk with you.Tim CallanI mean, that's how I feel. It's legacy stuff.Jason SorokoIt's legacy. It’s just flat out legacy. Every implementation I've ever seen recently is like 15 years old. Not even like five years old. 15 years old. No quantum plan, meaning you're running that thing past 2030 and you're gonna keep a straight face? So what are you doing right now? Because 2030 is not 10 years from now.Tim CallanNo. It’s six years from now.Jason SorokoI'm going to offer you not a perfect out, but I'm going to offer you an out. Those of you who have to keep it somewhere in your - - in other words, if you're saying to me what my root of root of root of trust is that old box, then I'm going to say to you, okay, learn from the way that a public CA works in its trust model. Learn from the public guys. Learn from guys like Tim. How are public CAs set up? Well, we have an ultimate root. That thing isn't even on. All that thing did, all that CA did was sign, issue a key pair and use that to sign a certificate on an issuing CA. The CA that's actually doing issuance and perhaps this intermediate level of trust isn't even the ultimate issuing CA. But quite often you go from root to an issuing CA. It’s quite common as a trust model. Well, what happens if you used your Microsoft CA as a root root. To basically extend trust from it. In other words, what's the advantage to that Tim? You could create a cloud-based private CA. Great. It would be your issuing CA, and it is only trusted because its root was signed by the root root. And that root root could be a Microsoft CA.Tim CallanAnd what's the advantage of that?Jason SorokoThe advantage of that is that you hold the keys. Some people really don't want to set up a root root in the cloud, because it's like, well, my PKI managed service provider, is handling that for me, and we were talking earlier about if you don't hold the keys, you don't hold the cheese. That's not only true with cryptocurrencies, it's true with private CAs. Or any kind of CA. Therefore, if you want to hold the keys and the cheese, you could use a Microsoft CA for that. Now, there's risks in post-quantum, but maybe those are calculated risks, because you have some kind of thing and you have no agility around your root roots. That’s a possibility. That's for real. I sympathize with that, but by doing that, you're minimizing your risks by not using it for anything else. Now I'm sure that there could be people who come into this room and say, false Jay. There's attack vectors in post-quantum against that. There are. I'm not hiding that. What I'm trying to do is not be overly pedantic with it and say you are reducing risk in a measurable way. Yes, it could all unravel if an attacker gets far enough in but just be aware, it's not a perfect solution, but at least it minimizes your risk in a post-quantum world for MSCA?Tim CallanI get that. It still feels like unless there's something coming up for PQC that we don't know about, that MSCA should rapidly decline. Nothing ever completely disappears, so there'll probably be some around, but it seems like a sensible prediction that's going to kind of be a thing of the past.Jason SorokoSo why not at the very least, put the mitigate, put the monitoring function on it, put the augmentation scenario to work and start to - -Tim CallanFor as long as you're using it.Jason SorokoFor as long as you can and if you are using certificate issuance into domain attached things and you want to plug certs into places that it's working just fine, choose an end date for that that you're going to swap over to some other form of private CA.Tim CallanWhat's nice is, if you've enveloped this into a CLM, which you were suggesting, then you keep that CLM. You're still going to have continuity in that regard. If you end that CA and spin up something else in its place, and all the rest, you can also still have all of that running in the same platform. You have visibility of continuous management. You have governance rules. You have all those things you're expecting.Jason SorokoCorrect. Tim, we did a podcast in this Toronto series about mapping Certificate Lifecycle Management to NIST Cybersecurity Framework, 2.0. We could have said, how well does using Microsoft CA fit in Cybersecurity Framework 2.0? Not as well. It would have mapped very poorly, wouldn't it? Therefore, you folks who keep telling me, I want to keep my Microsoft CA running forever, I laugh at that as well. I know why you're keeping it and it's not for the best of intentions. I’m calling you out.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
