Open Fassino opened 1 year ago
In the past the way we interacted with MS CS was to terminate EST with an EST server function at a Registration Authority. At the RA we would use RADIUS to get the request authenticated with what I believe was MS AD, and once the EST client node was authenticated we interacted with MS CS through its web interface using cURL to perform the actual enrollment.
Hope this helps, Pete
On 2/15/23 7:39 AM, Jean-Philippe Fassino wrote:
Hi All, this is not a bug. Just a question.
Currently, Microsoft Active Directory only supports SCEP. Does anyone know if there is a way to use EST with ADCS?
Thanks
— Reply to this email directly, view it on GitHub https://github.com/cisco/libest/issues/118, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU7INV5PKK7VBSESHLVZL3WXTFAXANCNFSM6AAAAAAU4ZO4KA. You are receiving this because you are subscribed to this thread.Message ID: @.***>
Thanks it helps! Having a RA providing EST and using the CA of AD is probably a good solution. Does anyone know a solution (code source, ...) for this? Thanks
Unfortunately, in this case our RA was not something that was made open source. We started with a popular HTTP server and hooked in libest running in server mode very early in the processing of incoming requests. This leveraged the efficient task scheduler of the HTTP server but disabled its HTTPS processing and instead logic was added to the server to forward the incoming requests to both AD and CS as mentioned.
On 2/16/23 6:01 AM, Jean-Philippe Fassino wrote:
Thanks it helps! Having a RA providing EST and using the CA of AD is probably a good solution. Does anyone know a solution (code source, ...) for this? Thanks
— Reply to this email directly, view it on GitHub https://github.com/cisco/libest/issues/118#issuecomment-1432905110, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU7INUB3BOUWPV3AFNYI4TWXYCG7ANCNFSM6AAAAAAU4ZO4KA. You are receiving this because you commented.Message ID: @.***>
If i understood correctly, you mention a commercial solution which is not open source. That may fit our industrial need. Could you send me a link where i can get more information?
Actually, the internally developed Registration Authority was derived from an open source HTTP server (NGINX) which was modified to process incoming EST requests and forward them to upstream CAs such as MS CA and Dogtag.
On 2/20/23 10:39 AM, Jean-Philippe Fassino wrote:
If i understood correctly, you mention a commercial solution which is not open source. That may fit our industrial need. Could you send me a link where i can get more information?
— Reply to this email directly, view it on GitHub https://github.com/cisco/libest/issues/118#issuecomment-1437212417, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU7INQR4VPTIX3FRBQDGALWYOF2LANCNFSM6AAAAAAU4ZO4KA. You are receiving this because you commented.Message ID: @.***>
Hi All, this is not a bug. Just a question.
Currently, Microsoft Active Directory only supports SCEP. Does anyone know if there is a way to use EST with ADCS?
Thanks