Windows Server and client machines should be able to get certificates from a CryptOS CA using only the tooling built into Windows, with no third-party enrollment agent installed. Enrollment is driven across the domain by Group Policy, the same way machines enroll against AD CS today.
On the CryptOS side this means exposing the two web services Windows autoenrollment expects. The enrollment policy service (MS-XCEP) tells a client what it may enroll for and where. The enrollment service (MS-WSTEP) takes the client's request over HTTPS and returns the issued certificate. Both run over HTTPS using an auth method the domain machine already has, such as Kerberos or a client certificate, so nothing extra has to be installed.
The client side is pure configuration. A Group Policy turns on certificate autoenrollment and points machines at the CryptOS policy service, pushed to the whole domain. This work has to include documenting that Group Policy setup, not just the server endpoints.
WSTEP is already one of the built-in protocol adapters named in the design decisions, alongside ACME, SCEP, EST, RFC 3161, and OCSP. This issue is the concrete Windows use case that drives the WSTEP and XCEP adapters.
Not scheduled. The auth model, template mapping, and any reuse of Active Directory are still open and tie into the separate AD redesign.
Windows Server and client machines should be able to get certificates from a CryptOS CA using only the tooling built into Windows, with no third-party enrollment agent installed. Enrollment is driven across the domain by Group Policy, the same way machines enroll against AD CS today.
On the CryptOS side this means exposing the two web services Windows autoenrollment expects. The enrollment policy service (MS-XCEP) tells a client what it may enroll for and where. The enrollment service (MS-WSTEP) takes the client's request over HTTPS and returns the issued certificate. Both run over HTTPS using an auth method the domain machine already has, such as Kerberos or a client certificate, so nothing extra has to be installed.
The client side is pure configuration. A Group Policy turns on certificate autoenrollment and points machines at the CryptOS policy service, pushed to the whole domain. This work has to include documenting that Group Policy setup, not just the server endpoints.
WSTEP is already one of the built-in protocol adapters named in the design decisions, alongside ACME, SCEP, EST, RFC 3161, and OCSP. This issue is the concrete Windows use case that drives the WSTEP and XCEP adapters.
Not scheduled. The auth model, template mapping, and any reuse of Active Directory are still open and tie into the separate AD redesign.