From an OEL server how to request CA certificate from Active Directory ?

I'm not a Linux expert, but it may work with the Network device enrollment service, which is part of the Microsoft PKI,
At least this service is often used to enroll certificates for IOs devices and other hardware...
But the other side has to support such a functionality...


Now you need a Linux expert, who can explain you, how Linux can request Microsoft PKI certificates.
maybe this article helps you, at least also pointing to the Network Device Enrollment Service (NDES)
https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/

Just the hint, that the NDES service had a bug in the past with Net Framework 4.
To put the NDES on a machine with only Net Framework 2 solved the problem.
Not sure if this issue is solved in the meanwhile

Since https://LetsEncrypt.org began providing free SSL certs years ago, most reasons for running a private CA have retired into the mists of time.

I'd use LE, so you don't have to manage downloading all your CA chain files into each client.

Many thanks guys for the advice . I am coming into this as a complete novice :)  . The platform we have is accessed via 2 factor authentication - upon which any access rights have been pre-determined (RBACS)  .  External pen-testing sees the self signed certificate as a major issue - can anyone advise the correct syntax to employ the Active Directory server to be the Certificate Authority ? This will (hopefully) satisfy the perceived vulnerabilities .

Use something like Chef, Puppet or Ansible to perform the orchestration.

> can anyone advise the correct syntax to employ the Active Directory server to be the Certificate Authority
You have to install a Microsoft Certificate Services role on a Windows Server to deploy your own certificates.
There you can add services including NDES.

it is its own server role, but should not be installed on a domain controller due to security issues...

Many thanks David .