From an OEL server how to request CA certificate from Active Directory ?

Linux servers in domain all use self-signed certificates . Recently the AD was updated to become the Certificate Authority - have pushed out the new cert to all Windows boxes using group policy . Is there a similar way to do this for Linux ?
Many thanks .
john hingleyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BembiCEOCommented:
I'm not a Linux expert, but it may work with the Network device enrollment service, which is part of the Microsoft PKI,
At least this service is often used to enroll certificates for IOs devices and other hardware...
But the other side has to support such a functionality...


Now you need a Linux expert, who can explain you, how Linux can request Microsoft PKI certificates.
maybe this article helps you, at least also pointing to the Network Device Enrollment Service (NDES)
https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/

Just the hint, that the NDES service had a bug in the past with Net Framework 4.
To put the NDES on a machine with only Net Framework 2 solved the problem.
Not sure if this issue is solved in the meanwhile
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Since https://LetsEncrypt.org began providing free SSL certs years ago, most reasons for running a private CA have retired into the mists of time.

I'd use LE, so you don't have to manage downloading all your CA chain files into each client.
john hingleyAuthor Commented:
Many thanks guys for the advice . I am coming into this as a complete novice :)  . The platform we have is accessed via 2 factor authentication - upon which any access rights have been pre-determined (RBACS)  .  External pen-testing sees the self signed certificate as a major issue - can anyone advise the correct syntax to employ the Active Directory server to be the Certificate Authority ? This will (hopefully) satisfy the perceived vulnerabilities .
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Dmitri FarafontovLinux Systems AdminCommented:
Use something like Chef, Puppet or Ansible to perform the orchestration.
BembiCEOCommented:
> can anyone advise the correct syntax to employ the Active Directory server to be the Certificate Authority
You have to install a Microsoft Certificate Services role on a Windows Server to deploy your own certificates.
There you can add services including NDES.

it is its own server role, but should not be installed on a domain controller due to security issues...
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Since you mention you're a novice, likely you've never had to deal with Private CA problems.

When you run a Private CA, this means the issuer chain is bogus/fake + completely unknown to all applications.

Let's take a simple application like 200 people using Chrome.

When Chrome attempts to access some service covered by your private/fake CA, then Chrome will say site being accessed is suspicious.

This means you have to either deploy your Private CA chain to every machine + every application using SSL or each application will repeatedly throw this message.

When you run a Private CA, you're looking at a part time or full time job, depending on number of seats in your organization.

Best to just use https://LetsEncrypt.org as all Apps have contained the LE issuer chain for years now.

If you have unlimited free time, then run a Private CA.

If your time is already allocated, use LE.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
john hingleyAuthor Commented:
Many thanks David .
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.