How do I request a certificate from CEP / CES on a Microsoft CA on OSX or Linux?

ADCS Enrollment Web Services utilize two communication protocols: [MS-XCEP] and [MS-WSTEP] (a Microsoft implementation of [WS-TRUST] protocol).

CEP (implements [MS-XCEP]) is an enrollment policy service that is used to:

  1. provide available to client certificate templates for enrollment.
  2. provide Certificate Enrollment Service (CES) URIs

CES (implements [MS-WSTEP]) is an enrollment service that is used to:

  1. submit certificate requests
  2. retrieve issued certificates
  3. provide an Enrollment On Behalf Of (EOBO) functionality

related protocol specifications may apply ([MS-ADTS] and [MS-CERTD], for instance).

I'm not aware about any compatible client for Linux OS, however there is a compatible module for Apple MacOS and iOS: http://www.zevainc.com/index.php/productsandtools/licensed-products/item/91-certdeploy


How would I request a certificate from AD CS on OSX/Linux?

If you don't need to automate this, then simply go with "Active Directory Certificate Services Web Enrollment". It's a simple little web app that (amongst other things) allows you to paste in arbitrary CSRs. It doesn't care whether they originate from a Windows OS.

A windows admin will then have to approve or deny that CSR manually and then find a way to give you that newly created cert. So that's for low volume throughput only.

Basic clicks listed here: http://www.whitneytechnologies.com/?p=218


How would I request a certificate from AD CS on OSX/Linux?

CEP and CES are services for manual and automated certification enrollment on Windows systems.

On Linux or similar systems the AD CS role NDES (Network Device Enrollment Service) is used.

This article should give you a good overview of the service: https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/


I realize this is a bit old, but there is a solution now, using certmonger + cepces. If you want to auto enroll, you can configure Group Policy in Samba with Certificate Auto Enrollment (only available in Samba 4.15+).

For a simple setup, you would install certmonger and cepces, then modify /etc/cepces/cepces.conf for your environment. For a typical configuration, you'll just need to set the server parameter to the dns name of your Windows CA.

The rpm spec is supposed to run a script that adds the CA to certmonger. If not, then add it with getcert add-ca -c cepces -e /usr/libexec/certmonger/cepces-submit.

Then you can request your certificate, for example:

# getcert request -c cepces -T Machine -I MachineCertificate -k /etc/pki/tls/private/machine.key -f /etc/pki/tls/certs/machine.crt
New signing request "MachineCertificate" added.