Windows CA backed ACME server

Our organisation has been working towards adopting ACME for certificate enrolment on our internal network.
When we origionally investigated integrating the support, we found that none of the available server implimentations fit our constraints, as such we undertook development of our own ACME server.
Our contstraints included;

  • Existing CA infrastructure running on Microsoft Windows CA
  • Private key material for the CA must be HSM backed
  • Security team didn't want to build a new issuing tier CA (partially presented by capacity constraints on the HSM)

We decided to take the approach of integrating a new ACME service with the existing Windows CA infrastructure. We built an ACME server capable of proxying the final CSR from the client over the Windows RPC channel for signing.

For anyone who may find themselves in the same boat on their internal networks, I have published to my gitlab.
-- NOTE: This project has been built to minimum viable product, so some capabilities are only partially functional. I'm open to the community helping me finish it off.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.