john hingley
asked on
From an OEL server how to request CA certificate from Active Directory ?
Linux servers in domain all use self-signed certificates . Recently the AD was updated to become the Certificate Authority - have pushed out the new cert to all Windows boxes using group policy . Is there a similar way to do this for Linux ?
Many thanks .
Many thanks .
Since https://LetsEncrypt.org began providing free SSL certs years ago, most reasons for running a private CA have retired into the mists of time.
I'd use LE, so you don't have to manage downloading all your CA chain files into each client.
I'd use LE, so you don't have to manage downloading all your CA chain files into each client.
ASKER
Many thanks guys for the advice . I am coming into this as a complete novice :) . The platform we have is accessed via 2 factor authentication - upon which any access rights have been pre-determined (RBACS) . External pen-testing sees the self signed certificate as a major issue - can anyone advise the correct syntax to employ the Active Directory server to be the Certificate Authority ? This will (hopefully) satisfy the perceived vulnerabilities .
Use something like Chef, Puppet or Ansible to perform the orchestration.
> can anyone advise the correct syntax to employ the Active Directory server to be the Certificate Authority
You have to install a Microsoft Certificate Services role on a Windows Server to deploy your own certificates.
There you can add services including NDES.
it is its own server role, but should not be installed on a domain controller due to security issues...
You have to install a Microsoft Certificate Services role on a Windows Server to deploy your own certificates.
There you can add services including NDES.
it is its own server role, but should not be installed on a domain controller due to security issues...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Many thanks David .
At least this service is often used to enroll certificates for IOs devices and other hardware...
But the other side has to support such a functionality...
Now you need a Linux expert, who can explain you, how Linux can request Microsoft PKI certificates.
maybe this article helps you, at least also pointing to the Network Device Enrollment Service (NDES)
https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/
Just the hint, that the NDES service had a bug in the past with Net Framework 4.
To put the NDES on a machine with only Net Framework 2 solved the problem.
Not sure if this issue is solved in the meanwhile