Microsoft Windows plays an important role in the Enterprise, serving as the access point to company assets within the rewall, over a virtual private network, or from the browser to cloud services. However, authentication is required to ensure only authorized employees and devices can access the company assets. Passwords are expensive to manage, difficult to use and can be stolen by malware. To eliminate passwords, Microsoft has introduced two new features to meet the enterprise authentication need for an easy-to-use approach, where the employee’s identity cannot be impersonated:
- Microsoft Hello for Business: The employee will begin the authentication process using a facial or fingerprint biometric. After the biometric match is performed, the digital identity issued by the Certi cate Authority will complete the authentication process.
- Microsoft Virtual Smart Card: Microsoft has long supported the digital identity issued by a Certificate Authority, but there remained a concern that the private key could be stolen by malware from its location in the hard drive. This led to the use of one-time passwords on an external device or mobile application. Microsoft now protects the private key from theft by using the Trusted Platform Module hardware, and a user PIN, driving the displacement of one-time password devices and mobile apps.
The enterprise has the same authentication requirement for non-Windows platforms such as mobile devices, SSL/TLS on internal web servers, networking equipment, WiFi and Internet of Things. While several authentication technologies exist, Public Key Infrastructure (PKI) is the only approach which can deliver a single strong digital identity for the person or device for all use cases, and all platforms.
While PKI is the most secure and easy to use digital identity, the challenge remains to make it the easiest to deploy and Comodo CA makes deployment and management easy for both a customer premises Microsoft CA and Comodo CA, giving the customer the choice of what makes sense for their business.
The Microsoft Certificate Authority is well designed to issue and manage the certi cates to Microsoft clients. Where MSCA is lacking, is the management and visibility of all the certi cates issued, whether they be for a Microsoft client or a non-Microsoft application inside or outside the rewall such as:
- Web Servers
- Load Balancers
- Networking Gear
- Mobile Devices with and without a mobile management system
- People or devices not defined in the enterprise Active Directory
Automated certificate issuance, installation and renewal to non-Microsoft clients is required to prevent a failure to authenticate, leading to a customer, partner or the employee not being able to do their job. Comodo CA provides Certificate Management for certificates issued from a customer premise Microsoft Certificate Authority, protecting your investment while preventing the outage of authentication services. There is no need to displace your Microsoft CA to take advantage of the management capabilities from one console. While the management is centralized, the administration of groups can be delegated to match your organizational structure; Migration to Comodo CA is easy, it starts by automatically discovering all the past certi cates issued by the Microsoft CA.
Why Outsource the Certificate Authority?
The setup of a Microsoft Certificate Authority itself is a relatively simple task, but making effective use of the certificates across the enterprise will require PKI expertise that an enterprise may not possess. The solution design must address:
- Where certificate authentication can be used, and how it should be architected for maximum security with zero impact to employee, partner or customer productivity
- How to protect the private key from theft with evolving threats
- How to exploit digital signature to realize savings, while speeding up manual processes
- How to identity-proof employees and devices prior to enrollment for certificates
- Migration from your current authentication, by using it to enroll for a certificate
- Migration from an out-of-support certificate authority to its replacement
- Integrating with your staffing or inventory system, to ensure digital identities are only for authorized people and devices
The cost of the setup and the maintenance of the Microsoft Certificate Authority varies greatly depending on the security and availability required by the certificate authority. More sophisticated deployments will require advanced PKI knowledge that the enterprise may not possess.
Why Choose Sectigo for Certificate Management and Certification Authority
Sectigo allows the customer to purchase a turn-key service, paying only for what they need at the time, using an annual subscription fee. There are no large upfront setup costs. As the largest commercial certification authority, the Sectigo support team has the expertise to deploy PKI to your enterprise.
Sectigo is the only CA that allows the enterprise to simultaneously issue and manage certificates issued from:
- Customer premise Microsoft Certificate Authority. Migrate from the customer premise MSCA to the Sectigo Cloud Certificate Authority at your own pace or stay on MSCA indefinitely.
- Sectigo’s cloud-based Certificate Authority is branded and dedicated for the customer.
- The Sectigo solution is designed for the cloud where we will have you issuing certificates in half the time of other providers.
- Publicly trusted SSL, Code Signing and S/MIME can all be managed from the same console, while allowing for delegated administration along enterprise organizational boundaries.
Get Industry-leading Solutions for Your Online Business
With world class solutions that identify, prevent and combat web-based threats, Sectigo helps businesses protect their customers and reach their goals.