Photo by Sandip Roy on Unsplash
Linux Meets Windows CA
Bridges
The Certificate Enrollment Web Service was introduced in Windows Server 2008 R2 to modernize certificate requests and make them more flexible. Unlike traditional requests by Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) protocols, which require a direct connection to internal network ports and domain membership, both Certificate Enrollment Policy (CEP) web service and Certificate Enrollment Web Service (CES) are implemented on the Simple Object Access Protocol (SOAP) standard, which allows certificate requests to be made over an HTTPS interface, facilitating the integration of systems that are not part of the Active Directory (AD)domain or even reside on remote networks.
Two Central Services
The CEP web service is based on X.509 CEP (MS-XCEP) [1] and is used to provide clients with information about available certificate templates and certification authorities. The service provides this information over an HTTPS interface. Authentication is handled either by Kerberos with a username/password combination, or it relies on a client certificate.
In contrast, the CES web service is based on the WS-Trust X.509v3 Token Enrollment Protocol (MS-WSTEP) [2] – a Microsoft-specific implementation of the OASIS WS-TRUST [3] standard. It is responsible for requesting the certificate, which it does by forwarding certificate signing requests (CSRs) to the certification authority (CA). As with CEP, communication takes place over HTTPS, and authentication is identical to the CEP protocol.
Managing Certificates with certmonger
The certmonger tool [4] helps with all the
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Related content
-
Linux configuration with OpenLMI
One of the biggest hurdles for prospective Linux administrators is a lack of standards for configuring systems based on different Linux distributions. The Open Linux Management Infrastructure – OpenLMI – is looking to establish and define a standard approach to configuring such systems. -
Windows security with public key infrastructures
A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure. -
Obtain certificates with acme.sh
We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels. -
Certificate management with FreeIPA and Dogtag
The Dogtag certificate manager integrated into the FreeIPA open source toolset generates SSL/TLS certificates for intranet services and publishes them on the network. -
State-of-the-art virtual private networks
Because Microsoft's legacy VPN protocol, PPTP, has a couple of vulnerabilities, SSTP, which routes data via an SSL connection, was introduced as the new VPN protocol with Vista, Windows Server 2008, and Windows 7.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
