Photo by Sandip Roy on Unsplash

Photo by Sandip Roy on Unsplash

Linux Meets Windows CA

Bridges

Article from ADMIN 92/2026
By
Microsoft's Certificate Enrollment Web Service offers an easy way to obtain X.509 certificates from Active Directory Certificate Services. We introduce the protocols and investigate how to use the certmonger tool to issue certificates for Linux systems.

The Certificate Enrollment Web Service was introduced in Windows Server 2008 R2 to modernize certificate requests and make them more flexible. Unlike traditional requests by Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) protocols, which require a direct connection to internal network ports and domain membership, both Certificate Enrollment Policy (CEP) web service and Certificate Enrollment Web Service (CES) are implemented on the Simple Object Access Protocol (SOAP) standard, which allows certificate requests to be made over an HTTPS interface, facilitating the integration of systems that are not part of the Active Directory (AD)domain or even reside on remote networks.

Two Central Services

The CEP web service is based on X.509 CEP (MS-XCEP) [1] and is used to provide clients with information about available certificate templates and certification authorities. The service provides this information over an HTTPS interface. Authentication is handled either by Kerberos with a username/password combination, or it relies on a client certificate.

In contrast, the CES web service is based on the WS-Trust X.509v3 Token Enrollment Protocol (MS-WSTEP)  [2]  – a Microsoft-specific implementation of the OASIS WS-TRUST [3] standard. It is responsible for requesting the certificate, which it does by forwarding certificate signing requests (CSRs) to the certification authority (CA). As with CEP, communication takes place over HTTPS, and authentication is identical to the CEP protocol.

Managing Certificates with certmonger

The certmonger tool [4] helps with all the

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Download Article PDF now with Express Checkout
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
SUBSCRIPTIONS
Print Subscriptions
Digital Subscriptions

Related content

  • Lead Image © haveseen, 123RF.com
    Linux configuration with OpenLMI
    One of the biggest hurdles for prospective Linux administrators is a lack of standards for configuring systems based on different Linux distributions. The Open Linux Management Infrastructure – OpenLMI – is looking to establish and define a standard approach to configuring such systems.
    more »
  • Lead Image © vlue, 123RF.com
    Windows security with public key infrastructures
    A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure.
    more »
  • Lead Image © Stuart Miles, 123RF.com
    Obtain certificates with acme.sh
    We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels.
    more »
  • © Maxim Kazmin, 123RF.com
    State-of-the-art virtual private networks
    Because Microsoft's legacy VPN protocol, PPTP, has a couple of vulnerabilities, SSTP, which routes data via an SSL connection, was introduced as the new VPN protocol with Vista, Windows Server 2008, and Windows 7.
    more »
  • Photo by Oscar Sutton on Unsplash
    Certificate management with FreeIPA and Dogtag
    The Dogtag certificate manager integrated into the FreeIPA open source toolset generates SSL/TLS certificates for intranet services and publishes them on the network.
    more »
comments powered by Disqus