# Overview

[cepceslib](https://bgstack15.ddns.net/cgit/cepceslib) is a minimal POSIX shell and python library for using CEP/CES certificate enrollment from GNU/Linux in an Active Directory Certificate Services environment.

# Alternatives
[cepces](https://github.com/openSUSE/cepces) is a much larger project, but works only with certmonger which is a complex project, and also avoids username auth.

# Usage

## Use CEP
The purpose of Certificate Enrollment Policy (CEP) is to list the user's available templates and enrollment endpoints.

### Example CEP input

    $ CEPURL="https://ces.example.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" CESUSER="sa839" CESPASSWORDFILE=~/.config/user1 ./cepceslib.sh use_cep

### Example CEP output

    endpoints:https://ces.example.com/Example%20CA%20Name_CES_Kerberos/service.svc/CES,https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES
    SubCA
    WebServer

## Use CES
The purpose of Certificate Enrollment Service is to enroll certificates.

### Example CES input
Save a WebServer certificate down to example.key and example.pem. Note that by default the CERTFILE will contain the entire certificate chain, with the root first and leaf last.

    CESURL="https://ces.example.com/Example%20CA%20Name_CES_UsernamePassword/service.svc/CES" KEYFILE=example.key CSRFILE=example.csr CESPASSWORDFILE=~/.config/user1 CESUSER=sa839 CERTFILE=example.pem TEMPLATE="WebServer" CN="example1.example.com" SANS="san1.example.com,san2.example.com" ./cepceslib.sh use_ces

### Example CES output
None. The certificate chain is stored in `CERTFILE`, and the key is stored in `KEYFILE`.