ACME + Microsoft ADCS - Any integrations?

Not really a client dev question, not sure where to go with this.

Question is:
Is there any server side support for the ACME protocol for Microsoft AD Certificate Services CAs?
I have a use case for ACME protocol clients in an enterprise environment. Microsoft’s CA supports a SOAP API and I’ve written a client for it. However i’d like to use one of the available ACME clients. Therefore I’m interested to know if there are any Microsoft Windows AD Certificate Server CA Server Side components for the ACME protcol.

Thanks!
~Gordon

Not sure which way around you’re thinking here, I suspect that nothing exists today which fulfils your criteria either way, but perhaps you can indulge me:

Are you imagining a piece of software which enables a Microsoft environment to request new certificate in the same way they do today, but the certificates are ultimately issued by Let’s Encrypt (or another CA which offers ACME, today I think that’s only Let’s Encrypt but of course the protocol was not conceived for their exclusive use) ?

Or are you imagining a piece of software which enables software that can use ACME to request a certificate which ultimately has been issued by the Microsoft AD Certificate Services system?

In the latter case I think ACME will prove a bit “heavyweight” in most cases. The IETF has previously documented or standardised about half a dozen APIs of various sorts for certificate management, some are in wide use, some are used behind the scenes by “enterprise” customers of CAs, some are largely forgotten. ACME was created specifically to do something those APIs don’t - provide the necessary validation of control over the name requested. This is important for the Web PKI (certificates to be issued to, for exampe, a small company in Pennsylvania, and then trusted automatically by the smart phone of a short order cook in Hunan) but in the environments where other solutions took root it is either in principle or in practice unimportant - no validation is performed anyway, so ACME adds nothing.

Thank you for your response!

So I was thinking the other way around. Say I have an enterprise environment (on premise datacenter) vs internet or cloud.

I’f I’m required to use a Microsoft Certification Authority inside the enterprise network. is there any ACME protocol client that can request certificates from ADCS?

The use case is that I’d like to use the same client on non-windows machines, Linux/Serverless?, etc… to manage both enterprise PKI use cases as well as Let’s encrypt provisioned certs.

The MSFT CA provides a SOAP API. Was curious to learn if anyone had done a REST server side adaptation for Microsoft Enteprise CA’s that supports the ACME protocol.

Thanks!
~Gordon

Whats your appetite for experimentation

Microsoft ADCS rely on Active Directory and trust relationships to issue certificates

ACME can add a benefit to non Microsoft Servers or devices however for Microsoft servers adding a ACME client to do what ADCS can do natively seems overkill

ACDS does provide an interface to do this https://technet.microsoft.com/en-us/library/hh831649(v=ws.11).aspx

I have had an idea which is on the back-burner

A) Semi ACME Cert Server (like boulder without all the extra bits)
B) Server talks ACME but all revocation, issuing etc is done by ADCS
C) PowerShell will do the talking etc.
D) The pebble implementation is of interest in this as well https://github.com/letsencrypt/pebble

Andrei

Hi @gjyoung1974

Have a look at this https://www.globalsign.com/en-au/auto-enrollment-gateway/

It uses ACME but it’s internal certificate authority so it’s possible just a matter of doing integration

Andrei

Thank you Andrei!
I will def. check it out,
G~

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.