Hi Martin, Thank you. I understand that it's not easy to interface Microsoft Issuing CA and OpenXPKI RA, so we will avoid it.
Instead we will try to install and configure a new OpenXPKI (Community Edition) SubCA (signed by a Microsoft Root CA) with the SCEP feature. The SCEP can be configured on the same server ? (no need a dedicated server ?) Regards, Julien -----Message d'origine----- De : Martin Bartosch via OpenXPKI-users <openxpki-users@lists.sourceforge.net> Envoyé : mercredi 28 mai 2025 11:00 À : Martin Bartosch via OpenXPKI-users <openxpki-users@lists.sourceforge.net> Cc : Martin Bartosch <vc-...@cynops.de> Objet : Re: [OpenXPKI-users] Can ADCS Root CA works with OpenXPKI issuing subCA ? Hi Julien, > And, I’m just wondering, could OpenXPKI just act as a SCEP server with my > current Microsoft SubCA ? > Or do I really need to configure a new OpenXPKI SubCA for SCEP to be working ? In general, OpenXPKI Enterprise Edition does support this mode of operation. Please note that this feature is not available for OpenXPKI Community Edition. We call it RA/CA split, and this feature essentially allows chaining OpenXPKI with itself or another PKI product. Normally this feature is used to separate the RA side (handling requests) from the actual CA issuance (CA side). This mode will allow to configure the SCEP server on the RA instance which then forwards certificate requests to the CA backend for issuance. This works well with OpenXPKI itself as a backend and e. g. public CAs where a public CA such as DigiCert, Verisign or LetsEncrypt issues the actual certificate. It is possible to attach different PKI products as CA backend, but here is the catch: Microsoft CA is too limited to allow this mode of operation. It is not easily possible to interface with Microsoft CA properly to attach it as an issuing CA with an OpenXPKI RA frontend. There may be ways, but they are clumsy. If you need assistance on this I would recommend to approach this off-list. Get in touch with White Rabbit Security and we can discuss your options. Cheers, Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ________________________________________________________________ Ce message a fait l'objet d'un traitement anti-virus. Il est rappelé que tout message électronique est susceptible d'altération au cours de son acheminement sur Internet. ________________________________________________________________ ________________________________________________________________ Ce message, ainsi que les pièces jointes, sont établis, sous la seule responsabilité de l'expéditeur, à l'intention exclusive de ses destinataires ; ils peuvent contenir des informations confidentielles. Toute publication, utilisation ou diffusion doit être autorisée préalablement. Ce message a fait l'objet d'un traitement anti-virus. Il est rappelé que tout message électronique est susceptible d'altération au cours de son acheminement sur Internet. ________________________________________________________________ Vous pouvez consulter le site de l'Assemblée nationale à l'adresse suivante : https://www.assemblee-nationale.fr _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
