Can MS AD Certificate Services maintain both public and private keys in active directory?

Question

Is there enough control over AD user properties to have custom fields (one with only SELF having read permissions) and with Certificate Services to automatically maintain/auto-renew certificates and place both the public and private keys into separate fields in Active Directory?

We're building an application where our Active Directory is the only source for identity and authority, and we need to implement document signing. We can't think of any other way to maintain a user's access if it's stored anywhere else.

score 0 · Answer 1 · answered Mar 03 '20 at 18:18

TL;DR Technically Yes, but being able to directly access/modify anything related to keys via (S)LDAP is an exercise in futility; I haven't found anything saying explicitly that you can't, but I've never found a way to do it.

From what I've found, my approach was misguided; it was much easier to maintain a separate database of ephemeral private keys that expire with any change in userdata, and record all time stamped public keys/user pairs to continue to validate signatures.

Can MS AD Certificate Services maintain both public and private keys in active directory?

1 Answers1