Microsoft active directory certificate services with letsencrypt

WonderGlobal · March 15, 2024, 2:24am

A well explained here:

There is a way to use LETSENCRYPT with ADCS (Active Directory Certificate Services), but we would like to have it IN PRODUCTION..

Who can we talk to about pay to develop/maintain a solution to be used IN PRODUCTION?

Kind regards

Wonder Global

rg305 · March 15, 2024, 2:33am

I doubt that is possible...
LE doesn't provide certificates that can be used to issue other certs from.

OR
Maybe I misunderstand the statement/request.
If you can better explain your need, maybe we can better answer the question.

webprofusion · March 15, 2024, 5:37am

The linked example is using Let's Encrypt for certificates used by the services themselves, it's not using Let's Encrypt to issue certs via ADCS.

If you want to use ACME (automated certificate management) but issue from ADCS you could look at GitHub - grindsa/acme2certifier: library implementing ACME server functionality

I suppose the question is what do you actually want, and why?

rmbolger · March 15, 2024, 7:05am

Hey, that's my face (and my writing)!

As @webprofusion mentioned, that post is using Let's Encrypt instead of ADCS for certificate services in a domain. The whole point is that you don't need to bother installing, securing, and maintaining ADCS (which hasn't seen a significant update from Microsoft in over a decade).

The method can absolutely be used "in production". But you'd likely want to customize the scripts for your environment and add more error handling and logging to make things more robust than the proof of concept I put together for that post. If you're looking to pay a PowerShell developer to do that for you, I'm sure such people exist. But I don't really have any guidance on where to find them.

WonderGlobal · March 15, 2024, 2:52pm

We have POWERSHELL developers, but can we have a talk over a webconference to understand what need to be done?

How can i reach you? my email is [redacted]

WonderGlobal · March 15, 2024, 2:55pm

Great information Christopher Cook, i found this about ADCS:

github.com

grindsa/acme2certifier/blob/master/docs/mswcce.md

<!-- markdownlint-disable  MD013 -->
<!-- wiki-title CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) -->
# CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE)

This CA handler uses the Microsoft [Windows Client Certificate Enrollment Protocol](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/446a0fca-7f27-4436-965d-191635518466). The handler is using code from [Certipy](https://github.com/ly4k/Certipy) which is a kind of pentesting tool for AD-CS.

When using the handler please be aware of the following limitations:

- CA certificates cannot be fetched from CA server and must be loaded via `ca_bundle` option configured in `acme_srv.cfg`
- Revocation operations are not (yet) supported

## Preparation

1. Active Directory Certificate Services (AD-CS) must be enabled and configured - of course :-)
2. The CA handler is using RPC/DCOM to communicate with the CA server. That means that your CA-server must be reachable via TCP port 445.
3. (optional): In case you are installing from RPM or DEB and plan to use kerberos authentication you need an updated [impacket modules of version 0.11 or higher](https://github.com/fortra/impacket) as older versions have issues with the handling of utf8-encoded passwords. If you have no clue from where to get these packaages feel free to use the one being part of [the a2c github repository](https://github.com/grindsa/sbom/tree/main/rpm-repo/RPMs)
4. You need to have a set of credentials with permissions to access the service and enrollment templates

## Installation

This file has been truncated. show original

But can we talk over a webconference to automate, perhaps use your https://certifytheweb.com/ solution also?

How can i reach you? My email is [redacted]

rmbolger · March 15, 2024, 4:08pm

Respectfully, I already have a full time job. I'm not personally willing to provide guidance on this topic for your business outside the context of questions on this public forum. But I'm happy to continue answering questions here as I have time.

webprofusion · March 16, 2024, 4:13am

Thanks, I've responded to your support ticket. We don't provide consultancy as such but will be happy to answer specific questions about your evaluation of Certify The Web.

system · April 15, 2024, 4:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.