Linux Certificate Auto Enrollment With Microsoft CA
There is no free Linux “client” which provides Auto Enrollment or integrates with the Microsoft PKI like the one built into Microsoft Windows. However, there are commercial options which provide very similar abilities, one in particular which is actually easy to install, use, and won’t blowup your budget.
Many commercial and government enterprise organizations leverage Linux for critical services which often require an X.509 trusted certificate. Typically the need is for an SSL/TLS Server Authentication certificate commonly known as a web server certificate on Red Hat Enterprise Linux (RHEL), Ubuntu Server, or other Linux distribution.
The most common Public Key Infrastructure (PKI) in these same organizations is the Microsoft Enterprise Certificate Authority (CA). There are no free Linux options which provide automated integration with the Microsoft CA. This historically leaves organizations the choice of using “free” Linux tools combined with a complex manual process or purchase one of the very large and complex commercial products on the market.
There is a better solution that doesn’t have all the downsides of the “free” solution and doesn’t require substantial budget like the older monolithic commercial solutions.
Free Doesn’t Mean Low Cost
The “free” Linux tools approach typically involves Linux IT admins using the OpenSSL command line to create a private key and certificate signing request (CSR), email the request to the Microsoft PKI Admin, receive back the certificate, and install the certificate and key properly. Then you also have to have some kind of out-of-band reminder to to repeat this process before the certificate expires.
This might be manageable for a dozen or so systems, but this scales very poorly.
The usual result are certificates with either too long an expiration and/or certificates which expire without being renewed. Using long, multi-year expiration times is far from ideal because the longer a certificate is valid, the more it is susceptible to weakened cryptography. Using shorter expiration times shortens the exposure to susceptible cryptography, but comes at the cost of more frequent certificate renewals.
IT admins are human. They forget things. One thing they often forget is to renew manually managed certificates. This leads to service outages and unhappy customers.
Even if your IT admins have the memory of an elephant and the discipline of a Tai Chi Master, the labor costs of creating and managing large numbers of certificates in this manner is huge.
Prepare For Assimilation
There are several behemoth commercial products on the market which can automate the certificate process. However, these products require “total assimilation” similar to the approach of the fictional The Borg.
You have to integrate each Linux system with Active Directory and switch your user identification authentication over as well. This requires massive changes to existing Linux and Microsoft infrastructure.
The result is implementation time-frames of 3 months to more than 3 years and have a price tag that starts at $250K for an “entry level” implementation to $1M or more for large organizations.
That’s not easy and it’s not cheap by any means.
The Easy Way
Revocent developed CertAccord Enterprise to solve these problems. CertAccord Enterprise provides a Linux Client for auto enrollment with the Microsoft PKI Certificate Authority.
It is designed to be easy to use by Linux admins who just want to be able to run a simple command to “create web server certificate” and then have the certificate managed (renewed) through-out its life-cycle. The certificate creator gives the purpose of the certificate without having to know what the company PKI configuration policies are to create a private key or certificate. That is all configured by the enterprise PKI experts.
The Microsoft PKI administrators use nearly all the same tools and interfaces to manage Certificate Templates (policies) with the addition of the CertAccord Enterprise Console Management web GUI. The Console is where Linux device registrations are controlled and where certificate Templates (policies) are “connected” to CertAccord for use.
It’s easy to install because it’s designed as a “bolt-on” to your existing Microsoft PKI and Linux infrastructure. You don’t integrate your Linux systems with AD so it’s a simple installation.
You don’t have to spend a year implementing it and it won’t cost you most of your annual budget. It’s just easier.
- CertAccord Enterprise
- Revocent company website: www.revocent.com
- Red Hat Enterprise Linux (RHEL)
- Ubuntu Server