Is it possible to deliver/ sell / implement a server for issuing certificates using the ACME protocol (RFC 8555 - Automatic Certificate Management Environment (ACME)) using the PKI currently operating in the organization based on Microsoft Certificate Services?
Yes, it is possible. You could start by trying GitHub - grindsa/acme2certifier: library implementing ACME server functionality
I believe there may also be other "enterprise" CA product (Keyfactor etc) that can act as a bridge to MS Certificate Services.
3 Likes
Never done it before, so I'll follow atop the previous answer with a more academic one.
Registration Authority != Certificate Authority
I like to think of ADCS as a kind of all in one RA/CA - you use the MS protocols/methods to both request and issue certificates from the same server but you don't have to.
I could imagine a software system (RA) that is ACME-first which itself has issuing authority with an ADCS CA (hopefully an intermediate/issuing CA). The ACME RA itself is not a CA - just the intermediary for the ACME client to obtain an end-entity certificate which chains through the ADCS PKI.
Split the two (RA, CA) in your head and it becomes clear it's possible pretty quickly. I imagine the SCEP role service emulates the above theory to an extent.
Thank you for your response. I am aware of such solutions available on GitHub. Unfortunately, due to the regulator's requirements in our market, we need an enterprise-class solution that includes, among other things, support from the solution's manufacturer due to the necessity of addressing vulnerabilities."
@TomaszTar sure thing, I'd check with Keyfactor then.
2 Likes