OpenSSL and Windows Active Directory

Posted on

QUESTION :

I work at a company that is considering using Windows Active Directory and Certificate Authority. However, there are some issues that we have been reading about, and have some concerns. So we are considering using OpenSSL to generate the certificates, then distributing them using Active Directory. We would like to automate the process as much as possible. This is how we want it to work:

  1. We add a user to our domain.
  2. Active directory sees that there is a new user (or computer) added.
  3. Active directory then sends a request to OpenSSL to create a cert, passing along the first name and last name of the user. This is what we currently use to create the files needed so we can locate them easily.
  4. OpenSSL generates the certs.
  5. OpenSSL places them in a directory and returns the keys back to Active Directory.
  6. Active directory then installs the certs om the computer.

So all we would have to do is create the user.
My question is, put simply: Is this at all possible, and how would we go about doing it?

ANSWER :

Anything is possible (well, most things are possible). Whether it should be done is a different question.

Why bother with OpenSSL when there are more appropriate tools for the job. OpenSSL is a tool for testing and experimenting with X.509 certificates and is not meant to be used as a real CA. The man page even states this:

The ca utility was originally meant as an example of how to do things in a CA. It was not supposed to be used as a full blown CA itself

With the above in mind, simply install Active Directory Certificate Services (ADCS) on a couple of Windows servers. Install an off-line Root CA and use that to issue a certificate to an on-line Enterprise issuing CA. Install the latter on a server dedicated to the role – don’t share – so that you can strictly control access.

The issuing CA can be configured to issue certificates to any computer or user within the AD forest. It will even automatically renew certificates if you tell it to do so. This will be much easier than your scheme and will also be more secure as it’s specifically written for the purpose, and will log events as well as enforce multi-user operation if you ask it to.

There are plenty of resources on installing ADCS on the Internet. Some are dubious at the very least, while others are excellent. Try to keep to reputable sites, such as Microsoft’s own and you shouldn’t go too wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *