Driver for The Microsoft Active Directory Certificate Services

ADCS driver is used only for generating certificates now. For another operations is required use certification service directly.

For generating is required AD account for identity for whom will by certificate generated.

The our native driver for the certificate services build in Active Directory. Driver works only trough rest api, that is second part of the driver. Driver dosn't work without this REST API. REST API is part of standallone application that is deployed on Windows server and comunicate directly with ADCS.

Supported operation

Generate certificate

Operation for generating is one of the primary feature for all CA drivers. In ADCS driver is generation supported. For generating is required AD account for identity for whom will by certificate generated. Otherwise generating will be unsuccessful.

Post operation for generating obtain these attributes:

username,
password.

Unsupported operation

Revocate certificate,
Renew certificate,
Get certificate.

Basic configuration

ADCS driver has basic configuration inherited by standard drivers configuration. Basic configuration extends own configuration for REST endpoints:

Main endpoint.
- main endpoint - prefix for every call,
- supports ssl TODO?
Generate endpoint.
- ednpoint that allows generating certificates,
- POST method with username and password body,
Renew endpoint.
- renew the existing certificate - isn't implemented now,
Validate endpoint.
- validate existing certificate trough CA CRL,
CA get endpoint.
- return certificate for certification authority,
CERT get endpoint.
- return certificate by serial number

Authentication

CzechIdM product doesn't support GuardedString EAV configuration for certification module and drivers now. The password for communication cannot be stored as plaintext in configuration (like username). As workaround is used standard CzechIdM configuration stored in the property name:

idm.sec.crt.configuration.adcs.password.*

Because for each driver can be more than one configuration is the password attribute made with editable suffix. The suffix must be set. The suffix store username filled by standard GUI driver configuration.

For example: ADCS driver has filled username in configuration: testUser

Configuration with password will be:

idm.sec.crt.configuration.adcs.password.testUser=mySecredPassword

ACDS driver use basic authorization for now. Password and username must be filled!

Generate process

For generation is required send to ADCS username and passsword. After generation will be returned to IdM PKCS12 in base64. The PKCS12 will be decoded into public and private part and save into IdM as object CrtKeyPairWithCert. The object CrtKeyPairWithCert is saved as usually certificates.

While generation is allowed by IdM choose certification type, for example: AUTHENTICATION, SIGNING and ENCRYPTION. But this option dosn't affect generation process. The certificate type is set by templates in application with REST API (todo: ).

Table of Contents