This CA handler uses Microsofts Certification Authority Web Enrollment service for certificate enrollment and the python library magnuswatn/certsrv for communication with the enrollment service.
When using the handler please be aware of the following limitations:
- Authentication towards Microsoft Web Enrollment Service is limited to "basic" or "ntlm". There is currently no support for ClientAuth
- Communication is limited to https
- Revocation operations are not supported
- Microsoft Certification Authority Web Enrollment Service must be enabled and configured - of course :-)
- You need to have a set of credentails with permissions to access the service and enrollment templates
- Authentication method (basic or ntlm) to the service must be defined.
It is helpful to verify the service access before start testing with est_proxy
- service access by using ntlm authentication towards certsrv
root@rlh:~# curl -I --ntlm --user <user>:<password> -k https://<host>/certsrv/- service access by using basic authentication
root@rlh:~# curl -I --user <user>:<password> -k https://<host>/certsrv/Access to the service is possible if you see the status code 200 returned as part of the reponse
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 3686
Content-Type: text/html
Server: Microsoft-IIS/10.0
Set-Cookie: - removed - ; secure; path=/
X-Powered-By: ASP.NET- install certsrv via pip (module is already part of the docker images)
root@rlh:~# pip install certsrv[ntlm]- modify the server configuration (
est_proxy.cfg) and add the following parameters
[CAhandler]
host: <hostname>
user: <username>
password: <password>
ca_bundle: <filename>
auth_method: <basic|ntlm>
template: <name>
- host - hostname of the system providing the Web enrollment service
- user - username used to access the service
- password - password
- ca_bundle - CA certificate bundle in pem format needed to valiate the server certificate
- auth_method - authentication method (either "basic" or "ntlm")
- template - certificate template used for enrollment