3

I'm quite new to ACME, but already somewhat experienced with ADCS (Active Directory Certificate Services).

We use ADCS for all our internal needs: client auth, VPN, EFS etc., also for issuing TLS certificates.

Now, you may have already heard that Apple will no longer honor certificates with >1 year lifetime starting September 1st; this will put some strain on our limited webmaster resources (and to add insult to injury, every department has their own webmasters). I figured that maybe the easy way out is to implement in-house ACME using ADCS, but after some googling I have to admit I haven't found a solution that does it. Is it my poor googling skills, or there's just no such software?

StanTastic
  • 860
  • 1
  • 8
  • 25

4 Answers4

3

I have been able to close that gap with a GitHub project.

https://github.com/grindsa/acme2certifier

It serves the purpose of ACME proxy for those CA servers that don't support ACME natively quite well. The integration with ADCS is simple through the Web enrollment service. All you need is a service account and the certificate template on ADCS you want to use.

The project even has support for External account binding so you can authenticate the requests towards the ACME proxy.

bfloriang
  • 618
  • 6
  • 6
2

Apple will no longer honor certificates with >1 year lifetime starting September 1st

While this is true, it only applies to certs issued via the set of publicly trusted root CAs that come with the OS. Your internal CA can continue issuing multi-year certs without any problems. Here's a support article direct from Apple about it.

If you're still looking for an ACME server that can interface with ADCS, here's a project on Github that is supposed to be able to do it. But I haven't played with it, so I don't know how complete it is.

https://github.com/glatzert/ACME-Server-ACDS

Grant's answer about standing up a standalone ACME compatible CA that is a sub-CA of your internal root would also work and might actually be easier depending on your environment.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • You're correct, however we decided to have same rules regarding both internal and external CAs - easier to maintain consistency :-) – StanTastic Sep 01 '21 at 13:24
1

Microsoft ADCS does not support ACME nateively and I'm not aware of any 3rd party connector that integrates ACME with ADCS.

Microsoft ADCS supports Enrollment Web Services that use SOAP WS-* transport and is defined in two protocol specifications: [MS-XCEP] and [MS-WSTEP].

In internal environments and external (workgroups when using enrollment web services) envrionments, it is possible to use certificate autoenrollment functionality that performs initial certificate provisioning and automatic certificate renewal. I wrote a technical whitepaper about how certificate autoenrollment works: Certificate Autoenrollment in Windows Server 2016. The blog post contains a link to a downloadable copy of the document.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • So... is there a guide how to use it to get certificate for Tomcat or Nginx installed on Debian? – StanTastic Mar 02 '20 at 13:02
  • Haven't tried this, you may want to take a look at this post: https://superuser.com/a/1333245 – Crypt32 Mar 02 '20 at 13:11
  • 2
    Keyon provides products that extends ADCS, though unsure if they use ACME: https://www.keyon.ch/en/Produkte-Loesungen/Microsoft-PKI/index.php – Totalcontrol Mar 03 '20 at 11:19
  • 1
    They do, I will be testing this soon. – StanTastic Apr 07 '20 at 12:35
  • You don't necessarily need ACME integration with ADCS. You might consider other solutions which provide full ADCS to Linux/UNIX certificate management like https://revocent.com/certaccord-how-to-create-trusted-certificate-from-command-line-linux/ – Mike Cooper Aug 20 '20 at 16:18
1

There is, as far as I know, any good way to directly get a certificate from an internal Microsoft certificate authority via ACME.

But what you could do is run your own ACME server to issue certificates. It's signing certificate could be signed by your root certificate. So all your clients will trust certs it issues. There are a few ACME servers to choose from.

Grant
  • 17,859
  • 14
  • 72
  • 103