EST for Active Directory #118
Comments
|
In the past the way we interacted with MS CS was to terminate EST with
an EST server function at a Registration Authority. At the RA we would
use RADIUS to get the request authenticated with what I believe was MS
AD, and once the EST client node was authenticated we interacted with MS
CS through its web interface using cURL to perform the actual enrollment.
Hope this helps,
Pete
…On 2/15/23 7:39 AM, Jean-Philippe Fassino wrote:
Hi All, this is not a bug. Just a question.
Currently, Microsoft Active Directory only supports SCEP. Does anyone
know if there is a way to use EST with ADCS?
Thanks
—
Reply to this email directly, view it on GitHub
<#118>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABU7INV5PKK7VBSESHLVZL3WXTFAXANCNFSM6AAAAAAU4ZO4KA>.
You are receiving this because you are subscribed to this
thread.Message ID: ***@***.***>
|
|
Thanks it helps! |
|
Unfortunately, in this case our RA was not something that was made open
source. We started with a popular HTTP server and hooked in libest
running in server mode very early in the processing of incoming
requests. This leveraged the efficient task scheduler of the HTTP
server but disabled its HTTPS processing and instead logic was added to
the server to forward the incoming requests to both AD and CS as mentioned.
…On 2/16/23 6:01 AM, Jean-Philippe Fassino wrote:
Thanks it helps!
Having a RA providing EST and using the CA of AD is probably a good
solution.
Does anyone know a solution (code source, ...) for this?
Thanks
—
Reply to this email directly, view it on GitHub
<#118 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABU7INUB3BOUWPV3AFNYI4TWXYCG7ANCNFSM6AAAAAAU4ZO4KA>.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
If i understood correctly, you mention a commercial solution which is not open source. That may fit our industrial need. |
|
Actually, the internally developed Registration Authority was derived
from an open source HTTP server (NGINX) which was modified to process
incoming EST requests and forward them to upstream CAs such as MS CA and
Dogtag.
…On 2/20/23 10:39 AM, Jean-Philippe Fassino wrote:
If i understood correctly, you mention a commercial solution which is
not open source. That may fit our industrial need.
Could you send me a link where i can get more information?
—
Reply to this email directly, view it on GitHub
<#118 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABU7INQR4VPTIX3FRBQDGALWYOF2LANCNFSM6AAAAAAU4ZO4KA>.
You are receiving this because you commented.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi All, this is not a bug. Just a question.
Currently, Microsoft Active Directory only supports SCEP. Does anyone know if there is a way to use EST with ADCS?
Thanks
The text was updated successfully, but these errors were encountered: