Deploying in-house ACME server for Microsoft ADCS?

ad-certificate-services

I'm quite new to ACME, but already somewhat experienced with ADCS (Active Directory Certificate Services).

We use ADCS for all our internal needs: client auth, VPN, EFS etc., also for issuing TLS certificates.

Now, you may have already heard that Apple will no longer honor certificates with >1 year lifetime starting September 1st; this will put some strain on our limited webmaster resources (and to add insult to injury, every department has their own webmasters). I figured that maybe the easy way out is to implement in-house ACME using ADCS, but after some googling I have to admit I haven't found a solution that does it. Is it my poor googling skills, or there's just no such software?


Microsoft ADCS does not support ACME nateively and I'm not aware of any 3rd party connector that integrates ACME with ADCS.

Microsoft ADCS supports Enrollment Web Services that use SOAP WS-* transport and is defined in two protocol specifications: [MS-XCEP] and [MS-WSTEP].

In internal environments and external (workgroups when using enrollment web services) envrionments, it is possible to use certificate autoenrollment functionality that performs initial certificate provisioning and automatic certificate renewal. I wrote a technical whitepaper about how certificate autoenrollment works: Certificate Autoenrollment in Windows Server 2016. The blog post contains a link to a downloadable copy of the document.


There is, as far as I know, any good way to directly get a certificate from an internal Microsoft certificate authority via ACME.

But what you could do is run your own ACME server to issue certificates. It's signing certificate could be signed by your root certificate. So all your clients will trust certs it issues. There are a few ACME servers to choose from.


Apple will no longer honor certificates with >1 year lifetime starting September 1st

While this is true, it only applies to certs issued via the set of publicly trusted root CAs that come with the OS. Your internal CA can continue issuing multi-year certs without any problems. Here's a support article direct from Apple about it.

If you're still looking for an ACME server that can interface with ADCS, here's a project on Github that is supposed to be able to do it. But I haven't played with it, so I don't know how complete it is.

https://github.com/glatzert/ACME-Server-ACDS

Grant's answer about standing up a standalone ACME compatible CA that is a sub-CA of your internal root would also work and might actually be easier depending on your environment.

Related

IPsec transport mode and MTU
Mapping FQDN to IP and Port number in HAProxy
Why does nsupdate fail with "operation canceled"?
all required agent virtual machines are not currently deployed on host 'hostname'
Adobe Reader DC automated install using PowerShell
Why is variable not being populated with data from Get-AzADServicePrinciple?
Get user home directories recursively in PowerShell
ADSync to Office365 doesn't update Exchange properties
Deploy an Azure VM of image Windows 10 Pro (with license)
Attaching iso file to Azure VM
How to change permission of my CentOS if I don't have the root password?
Amazon EC2 Instance fails continuously, 1/2 status check