[Feature]: Active Directory Certificate Services Integration #1002
Description
Is your feature request related to a problem?
Enable the use of Active Directory Certificate Services as a provider.
(This use case is beyond the typical AcmeBot scope. so please close if you feel this is not appropriate)
We use one key vault to manage all certificates for our infrastructure, with Azure services (AppGW/AppServices) pulling certs, but also using the KeyVault VM extension) to manage certs on VMs / IIS Rebind to ensure the renewed cert is used on IIS solutions (or custom scripts for other solutions).
The problem: We have some solutions on domains that we don't publicly own; i.e. we have internal domains (historically we'd used a subdomain of a domain we publicly owned for this; but due to rebranding we no longer own that domian; but haven't yet migrated our internal services away from it. Also, many use *.internal domains for corporate networks (or other TLDs; though *.internal is the reserved TLD for this scenario). Given we don't own these domains publicly we can't issue certificates for them. However, as this is our interal Domain managed by AD, and we have AD Certificate Services, we can use our internal PKI infrastructure to issue certs. However, that won't cover renewal / sharing the certs to all places they'r required. Instead, we import those certs into KeyVault for easier distribution, but have to manually renew and upload the certs each time. Having AcmeBot handle the renewal for us would remove a manual task.
It would be great if there were a way to add Active Directory Certificate Services as a provider. However, ADCS doesn't support the ACME protocol.
Describe the solution you'd like
In an ideal world we'd have AcmeBot be able to work directly with ADCS (albeit requiring a private link to allow it to connect to the VWAN/VNET on whcih the ADCS servers are running).
However, due to the lack of ACME support, perhaps a better solution would be to use a third party solution to put an ACME interface over ADCS, then integrate AcmeBot with that? As this may be a common requirement, we could be perscriptive about a preferred approach to make it easy for people resolving this same problem / avoid supporting multiple approaches to handling the same issue. Possible ADCS proxy options:
- SmallStep CA is a well known solution for handling certificates, so probably gives the most value for effort (i.e. can be used for solutions other than ADCS once supported).
- ACME-Server-ADCS is a solution by the creator of PowerShell's
ACME-PSmodule (built on the same DotNetSharp module that acmebot originally used) to provide an ACME proxy/wrapper over ADCS. - ACME2Certifier is a solution aimed at providing an ACME proxy/wrapper over a selection of serviecs, including ADCS, so whilst less targetted than
ACME-Server-ADCSgives more benefit
Describe alternatives you've considered
- ADCS supports auto-renewal (e.g. see [certificate autoenrollment in windows server 2016])https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-summary.aspx)) so this could be configured; but then we're limited to certs on Windows VMs.
- We could write an automation job (task scheduler / azure function / etc) to check for expiring certs in KV then renew them in ADCS and upload the renewed cert to KV; but this would be a custom solution re-covering some of what AcmeBot can already do.
Additional context
No response