Overview

cepceslib is a minimal POSIX shell and python library for using CEP/CES certificate enrollment from GNU/Linux in an Active Directory Certificate Services environment.

Alternatives

cepces is a much larger project, but works only with certmonger which is a complex project, and also avoids username auth.

Usage

Use CEP

The purpose of Certificate Enrollment Policy (CEP) is to list the user's available templates and enrollment endpoints.

Example CEP input

$ CEPURL="https://ces.example.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" CESUSER="sa839" CESPASSWORDFILE=~/.config/user1 ./cepceslib.sh use_cep

Example CEP output

endpoints:https://ces.example.com/Example%20CA%20Name_CES_Kerberos/service.svc/CES,https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES
SubCA
WebServer

Use CES

The purpose of Certificate Enrollment Service is to enroll certificates.

Example CES input

Save a WebServer certificate down to example.key and example.pem. Note that by default the CERTFILE will contain the entire certificate chain, with the root first and leaf last.

CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" CN="example1.example.com" SANS="san1.example.com,san2.example.com" ./cepceslib.sh use_ces

Example CES output

None. The certificate chain is stored in CERTFILE, and the key is stored in KEYFILE.