Skip to content

feat(enroll): native Windows autoenrollment via GPO (MS-XCEP/WSTEP), no third-party agent #108

Description

@Bugs5382

Windows Server and client machines should be able to get certificates from a CryptOS CA using only the tooling built into Windows, with no third-party enrollment agent installed. Enrollment is driven across the domain by Group Policy, the same way machines enroll against AD CS today.

On the CryptOS side this means exposing the two web services Windows autoenrollment expects. The enrollment policy service (MS-XCEP) tells a client what it may enroll for and where. The enrollment service (MS-WSTEP) takes the client's request over HTTPS and returns the issued certificate. Both run over HTTPS using an auth method the domain machine already has, such as Kerberos or a client certificate, so nothing extra has to be installed.

The client side is pure configuration. A Group Policy turns on certificate autoenrollment and points machines at the CryptOS policy service, pushed to the whole domain. This work has to include documenting that Group Policy setup, not just the server endpoints.

WSTEP is already one of the built-in protocol adapters named in the design decisions, alongside ACME, SCEP, EST, RFC 3161, and OCSP. This issue is the concrete Windows use case that drives the WSTEP and XCEP adapters.

Not scheduled. The auth model, template mapping, and any reuse of Active Directory are still open and tie into the separate AD redesign.

Metadata

Metadata

Assignees

Labels

enhancementNew feature (feat). Minor version bump.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions