Windows AD CS + ACME

[tdmarchetta]

Hi @webprofusion-chrisc,

I would also like to request the integration of Certify the Web with the local Windows PKI. Is it feasible for Certify the Web to utilize the ACME protocol to obtain certificates from Windows AD CS?

[webprofusion-chrisc]

I haven't used Windows AD CS much myself but there are a couple of projects that try to provide an ACME service that you could then use:

https://github.com/glatzert/ACME-Server-ADCS (powershell)

https://github.com/grindsa/acme2certifier

From memory there were more but I can't find them on google currently. The big commercial enterprise PKI vendors offer this sort of integration as well I believe.

Other variations on the theme include sharing your root certificate from AD CS with a different internal ACME server (so the trust stays the same but the issuing system is different): https://smallstep.com/blog/byor-adcs-to-smallstep/

Can you describe your use case in more detail? Machine identity, trusted intranet sites and client certificates??

We wouldn't rule out directly providing such integration but it's not in the pipeline currently.

[tdmarchetta]

So I guess in my mind, anything that does not need to be publicly available, I would use a private PKI… A lot of stuff I am able to push out via group policy if it's a Windows based computer. However, there are a handful of Services such as databases, web firewalls, Apache2 (Website).