cisco / libest

Other
98 stars 94 forks source link

EST for Active Directory #118

Open Fassino opened 1 year ago

Fassino commented 1 year ago

Hi All, this is not a bug. Just a question.

Currently, Microsoft Active Directory only supports SCEP. Does anyone know if there is a way to use EST with ADCS?

Thanks

rpb5bnc commented 1 year ago

In the past the way we interacted with MS CS was to terminate EST with an EST server function at a Registration Authority.  At the RA we would use RADIUS to get the request authenticated with what I believe was MS AD, and once the EST client node was authenticated we interacted with MS CS through its web interface using cURL to perform the actual enrollment.

Hope this helps, Pete

On 2/15/23 7:39 AM, Jean-Philippe Fassino wrote:

Hi All, this is not a bug. Just a question.

Currently, Microsoft Active Directory only supports SCEP. Does anyone know if there is a way to use EST with ADCS?

Thanks

— Reply to this email directly, view it on GitHub https://github.com/cisco/libest/issues/118, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU7INV5PKK7VBSESHLVZL3WXTFAXANCNFSM6AAAAAAU4ZO4KA. You are receiving this because you are subscribed to this thread.Message ID: @.***>

Fassino commented 1 year ago

Thanks it helps! Having a RA providing EST and using the CA of AD is probably a good solution. Does anyone know a solution (code source, ...) for this? Thanks

rpb5bnc commented 1 year ago

Unfortunately, in this case our RA was not something that was made open source.  We started with a popular HTTP server and hooked in libest running in server mode very early in the processing of incoming requests.  This leveraged the efficient task scheduler of the HTTP server but disabled its HTTPS processing and instead logic was added to the server to forward the incoming requests to both AD and CS as mentioned.

On 2/16/23 6:01 AM, Jean-Philippe Fassino wrote:

Thanks it helps! Having a RA providing EST and using the CA of AD is probably a good solution. Does anyone know a solution (code source, ...) for this? Thanks

— Reply to this email directly, view it on GitHub https://github.com/cisco/libest/issues/118#issuecomment-1432905110, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU7INUB3BOUWPV3AFNYI4TWXYCG7ANCNFSM6AAAAAAU4ZO4KA. You are receiving this because you commented.Message ID: @.***>

Fassino commented 1 year ago

If i understood correctly, you mention a commercial solution which is not open source. That may fit our industrial need. Could you send me a link where i can get more information?

rpb5bnc commented 1 year ago

Actually, the internally developed Registration Authority was derived from an open source HTTP server (NGINX) which was modified to process incoming EST requests and forward them to upstream CAs such as MS CA and Dogtag.

On 2/20/23 10:39 AM, Jean-Philippe Fassino wrote:

If i understood correctly, you mention a commercial solution which is not open source. That may fit our industrial need. Could you send me a link where i can get more information?

— Reply to this email directly, view it on GitHub https://github.com/cisco/libest/issues/118#issuecomment-1437212417, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU7INQR4VPTIX3FRBQDGALWYOF2LANCNFSM6AAAAAAU4ZO4KA. You are receiving this because you commented.Message ID: @.***>