MacOS Certificate Auto Enrollment With Microsoft CA

linux certificate auto enrollment with microsoft ca

MacOS Certificate Auto Enrollment With Microsoft CA

There is no free MacOS (MacOS X) “client” which provides Auto Enrollment or integrates with the Microsoft PKI like the one built into Microsoft Windows.   However, there are commercial options which provide very similar abilities, one in particular which is actually easy to install, use, and won’t blowup your budget.

Many commercial and government enterprise organizations leverage MacOS for laptops, desktops, and servers which often require an X.509 trusted certificate.  Typically the need is for an SSL/TLS Server Authentication certificate commonly known as a web server certificate or a Client Authentication certificate.  These certificates are typically used for user and device authentication and other applications such as connecting to enterprise VPN.

The most common Public Key Infrastructure (PKI) in these same organizations is the Microsoft Enterprise Certificate Authority (CA).   There are no free MacOS options which provide automated integration with the Microsoft CA.  This historically leaves organizations the choice of using “free” MacOS tools combined with a complex manual process or purchase one of the very large and complex commercial products on the market.

There is a better solution that doesn’t have all the downsides of the “free” solution and doesn’t require substantial budget like the older monolithic commercial solutions.

Free Doesn’t Mean Low Cost

The “free” MacOS tools approach typically involves IT admins using the OpenSSL command line to create a private key and certificate signing request (CSR), email the request to the Microsoft PKI Admin, receive back the certificate, and install the certificate and key properly.  Then you also have to have some kind of out-of-band reminder to to repeat this process before the certificate expires.

This might be manageable for a dozen or so systems, but this scales very poorly.

The usual result are certificates with either too long an expiration and/or certificates which expire without being renewed.  Using long, multi-year expiration times is far from ideal because the longer a certificate is valid, the more it is susceptible to weakened cryptography.  Using shorter expiration times shortens the exposure to susceptible cryptography, but comes at the cost of more frequent certificate renewals.

IT admins are human.  They forget things.  One thing they often forget is to renew manually managed certificates.  This leads to service outages and unhappy customers.

Even if your IT admins have the memory of an elephant and the discipline of a Tai Chi Master, the labor costs of creating and managing large numbers of certificates in this manner is huge.

Prepare For Assimilation

There are several behemoth commercial products on the market which can automate the certificate process.  However, these products require “total assimilation” similar to the approach of the fictional The Borg.

You have to integrate each MacOS system with Active Directory and switch your user identification authentication over as well.  This requires massive changes to existing MacOS and Microsoft infrastructure.

The result is implementation time-frames of 3 months to more than 3 years and have a price tag that starts at $250K for an “entry level” implementation to $1M or more for large organizations.

That’s not easy and it’s not cheap by any means.

The Easy Way

Revocent developed CertAccord© Enterprise to solve these problems. CertAccord Enterprise provides a MacOS (also Linux, Unix, and Windows) Client for auto enrollment with the Microsoft PKI Certificate Authority.

It is designed to be easy to use by MacOS admins who just want to be able to run a simple command to “create web server certificate” and then have the certificate managed (renewed) through-out its life-cycle.   The certificate creator gives the purpose of the certificate without having to know what the company PKI configuration policies are to create a private key or certificate.  That is all configured by the enterprise PKI experts.

The Microsoft PKI administrators use nearly all the same tools and interfaces to manage Certificate Templates (policies) with the addition of the CertAccord Enterprise Console Management web GUI.  The Console is where MacOS device registrations are controlled and where certificate Templates (policies) are “connected” to CertAccord for use.

It’s easy to install because it’s designed as a “bolt-on” to your existing Microsoft PKI and MacOS infrastructure.  You don’t integrate your MacOS systems with AD so it’s a simple installation.

You don’t have to spend a year implementing it and it won’t cost you most of your annual budget.   It’s just easier.