Deploying in-house ACME server for Microsoft ADCS?
I'm quite new to ACME, but already somewhat experienced with ADCS (Active Directory Certificate Services).
We use ADCS for all our internal needs: client auth, VPN, EFS etc., also for issuing TLS certificates.
Now, you may have already heard that Apple will no longer honor certificates with >1 year lifetime starting September 1st; this will put some strain on our limited webmaster resources (and to add insult to injury, every department has their own webmasters). I figured that maybe the easy way out is to implement in-house ACME using ADCS, but after some googling I have to admit I haven't found a solution that does it. Is it my poor googling skills, or there's just no such software?
Microsoft ADCS does not support ACME nateively and I'm not aware of any 3rd party connector that integrates ACME with ADCS.
Microsoft ADCS supports Enrollment Web Services that use SOAP WS-* transport and is defined in two protocol specifications: [MS-XCEP] and [MS-WSTEP].
In internal environments and external (workgroups when using enrollment web services) envrionments, it is possible to use certificate autoenrollment functionality that performs initial certificate provisioning and automatic certificate renewal. I wrote a technical whitepaper about how certificate autoenrollment works: Certificate Autoenrollment in Windows Server 2016. The blog post contains a link to a downloadable copy of the document.
There is, as far as I know, any good way to directly get a certificate from an internal Microsoft certificate authority via ACME.
But what you could do is run your own ACME server to issue certificates. It's signing certificate could be signed by your root certificate. So all your clients will trust certs it issues. There are a few ACME servers to choose from.
Apple will no longer honor certificates with >1 year lifetime starting September 1st
While this is true, it only applies to certs issued via the set of publicly trusted root CAs that come with the OS. Your internal CA can continue issuing multi-year certs without any problems. Here's a support article direct from Apple about it.
If you're still looking for an ACME server that can interface with ADCS, here's a project on Github that is supposed to be able to do it. But I haven't played with it, so I don't know how complete it is.
https://github.com/glatzert/ACME-Server-ACDS
Grant's answer about standing up a standalone ACME compatible CA that is a sub-CA of your internal root would also work and might actually be easier depending on your environment.