Microsoft infrastructure for issuing and managing certificates inside an enterprise directory environment. It becomes a security concern when certificate templates, enrollment permissions, or authority boundaries create durable access that survives password resets and account changes.
Expanded Definition
active directory Certificate Services, or AD CS, is Microsoft’s enterprise certificate authority stack for issuing, renewing, and managing certificates inside a directory domain. In NHI security, it matters because certificates can function as durable machine identity credentials and may outlive a password reset, group change, or even a role transition if enrollment rights and template settings are too broad.
AD CS is often discussed alongside workload identity and enterprise PKI, but it is not the same as a general secrets vault or a simple authentication feature. The security model depends on certificate templates, enrollment agents, authority boundaries, revocation handling, and who can request what. Guidance varies across vendors on hardening depth, but the operational principle is consistent: treat certificate issuance as privilege assignment. NIST’s NIST Cybersecurity Framework 2.0 reinforces the need to manage identity-related risk through governance, access control, and continuous monitoring.
The most common misapplication is assuming certificate issuance is safe by default, which occurs when template permissions allow broad enrollment without reviewing who can mint durable credentials.
Examples and Use Cases
Implementing AD CS rigorously often introduces administrative overhead, requiring organisations to weigh issuance speed and compatibility against tighter template governance, certificate review, and revocation discipline.
- A domain-joined server receives a device certificate for mutual TLS, but only approved administrators can enroll the template and only for the intended machine class.
- A build pipeline uses certificates for signing and service-to-service authentication, with short validity periods and monitored renewal rather than long-lived manual enrollment.
- A privileged workstation certificate is revoked after a role change, preventing the old credential from surviving account reassignment or password rotation.
- An investigation traces lateral movement to a certificate template that allowed unexpected enrollment; the team correlates the issue with lessons from the Cisco Active Directory credentials breach and similar NHI exposure patterns.
- An enterprise aligns its certificate lifecycle controls with the Ultimate Guide to NHIs — What are Non-Human Identities to inventory where certificates function as non-human credentials.
These use cases show why AD CS should be governed as identity infrastructure, not just as a backend utility for internal PKI.
Why It Matters in NHI Security
AD CS becomes high risk when certificate templates or enrollment agents create durable access that survives normal account hygiene. A certificate can remain trusted long after a password is changed, which means a compromised template or mis-scoped issuance path can become a persistent foothold for attackers. That is why certificate authority boundaries, inventory, and revocation procedures are central NHI controls, not niche PKI details.
NHIMG research shows the scale of the problem: 97% of organisations expose NHIs to excessive privileges, and 71% do not rotate NHIs within recommended time frames, both of which are conditions that make certificate-backed access harder to govern. The same patterns apply when AD CS is used to mint machine credentials without tight lifecycle control. If issuance, renewal, and revocation are not continuously reviewed, certificate-based access can outlast the business need that created it. The Ultimate Guide to NHIs — What are Non-Human Identities is a useful baseline for understanding why durable machine credentials demand explicit ownership and rotation.
Organisations typically encounter AD CS risk only after a certificate-backed account survives a password reset or directory cleanup, at which point the certificate authority becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers improper secret and credential lifecycle management for non-human identities. |
| NIST CSF 2.0 | PR.AA | Identity management and access control apply to certificate issuance and revocation. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of machine identities, including certificate-based ones. |
Inventory AD CS-issued certificates and restrict enrollment paths to named business owners.
Related resources from NHI Mgmt Group
- Why do Active Directory service accounts complicate zero trust programs?
- How should security teams govern Active Directory service accounts?
- What is the difference between direct access and effective access in Active Directory?
- Why do Active Directory service accounts create more risk than their labels suggest?
