3

I am looking into deploying an internal CA to replace the GlobalSign certificates we use for our internal email encryption:

  • Internal CA would be set up using ADCS in a two-tier hierarchy, no other software i.e OpenSSL
  • The clients that it will be used on: Outlook 2013, Outlook for Mac 2011
  • I would prefer S/MIME format

My questions is, can a Mac client request and use a certificate from the CA?

2 Answers2

2

Yes, Windows CAs are compatible with OSX, but you need to make sure the CA is using SHA2 and RSA 1024 or higher. Anything less secure may run into errors with various revisions of OSX.

With regards to enrollment, users can use the OSX Keychain to create a certificate file to be signed. Since CertEnroll ActiveX control doesn't work on OSX, then you either need to work with MSFT Web Enrollment, or upload/email that file to a human or Windows Service that will consume, sign with the CA, and return the signed cert to the client.

More information on WebEnrollment (Developers)

Community
  • 1
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
  • Yep, ADCS enrollment web services would be preferred. However, MacOSX do not have native client that would support these protocols. Though, there are 3rd party (non-free) clients to work with enrollment web services on MacOSX. – Crypt32 Dec 08 '15 at 20:32
-2

Hmm, I have no experience with Active Directory Certificate Services, maybe someone else can provide first-hand experience. Microsoft has a history of ignoring standards (like how Active Directory differs from the X500 LDAP standard), so you are right to be suspicious, in fact the ADCS pages have no hits for "X509". These are questions you should ask Microsoft directly (or whoever your middle-man software vendor is).

In general: Almost all CAs / browsers / S/MIME applications / VPNs / etc use the X509 Certificate Format. This is a widely accepted binary format for certificates and public key information, and should be supported by any application / operating system that knows about SSL/TLS, or S/MIME.

I've worked with commercial-off-the-shelf CA software that can be hosted on any of Windows, Linux, HPUX, Solaris, etc and happily handles cert requests from any of the above + Mac, Android, iOS. As long as they all use the same network protocols and certificate formats, it shouldn't matter.

Mike Ounsworth
  • 127
  • 5
  • Hey Mike, I might not be understanding you correctly, but will try to answer your questions: Internal CA would be set up using ADCS in a two-tier hierarchy, no other software i.e OpenSSL The clients that it will be used on: Outlook 2013, Outlook for Mac 2011 I would prefer S/MIME format –  Dec 08 '15 at 16:14
  • If you have no experience in ADCS, what value does provide your response to original question? – Crypt32 Dec 08 '15 at 20:24
  • Because I posted my answer before the OP said which CA he was using. See edit history. – Mike Ounsworth Dec 08 '15 at 20:32
  • It seems silly to delete an answer to the general question just because the OP narrowed the scope. – Mike Ounsworth Dec 08 '15 at 20:34
  • Also, this answer was migrated from Security.SE where we try to avoid giving answers that only apply to a specific piece of software. I understand that post-migration, my answer may not match Server Fault's norms. Shrug. – Mike Ounsworth Dec 08 '15 at 20:38
  • I'm not very familiar with SF's norms either. But when I ask "Is ADCS compatible with XYZ", the answer like "I'm not familiar with ADCS, but OpenSSL does" wouldn't help me. But this is offtopic. We always can discuss this elsewhere where it is appropriate. – Crypt32 Dec 08 '15 at 20:43
  • The original question did not mention ADCS at all. If it had, I wouldn't have bothered to answer it. But like I said, seems silly to delete an answer just because the question changed. – Mike Ounsworth Dec 08 '15 at 20:56