Possible to use Openssl based PKI with Active directory?

Question

I am planning to use Openssl based PKI (eg CA and issuing CA) with Active directory for user authentication. So basically, Issuing CA will be issuing certificates to Users (for smart card authentication).

In my understanding Domain Controller will require a Domain controller authentication certificate for this and user will require a smart card authentication certificate with relevant OIDs and properties.

Environment will be Win 10 enterprise Client machines with Win2016 AD.

Has anyone done this before and is it even possible to integrate AD with Openssl for smart card authentication?

Answer 1

Hi,

This should be possible however will not be supported by Microsoft if any issues arises out of the deployment as it is open source CA and Issuing CA, so just to keep a note of this. However there is detailed thread and guidance from third party blogger on this and might help you - https://4sysops.com/archives/use-openssl-based-software-xca-as-offline-root-certificate-authority-for-ad-certificate-services/

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @Jayad Bhutani

Yes you can use OpenSSL PKI in windows envirement.

You have to deploy root certificate on on member machine by 2 method:

• Publish root certificate in AD using the command below , once done , all member machines in the forest will add the root certificate of OpenSSL to Trusted Root Certification Authorities: certutil -dspublish -f <certfilename> RootCA
• Deploy root certificate using group policy object GPO through this setting : Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies for more details please tread the following link:
  Distribute Certificates to Client Computers by Using Group Policy

Please don't forget to mark helpful answer as accepted