Support Kerberos-authenticated (ADCS replacement) ? #2344
-
|
It would be useful for step-ca to support issuing client certificates to users and machines authenticated via Kerberos. The goal is to replicate the core functionality of Microsoft ADCS: issuing client certificates based on existing Kerberos identities, without requiring additional tokens or provisioning. This would allow step-ca to distribute certificates to users and hosts in a Kerberos realm (MIT, Heimdal, FreeIPA, etc.) using their existing authentication, across platforms (Linux, Windows, macOS). Smallstep already handles certificate issuance well — the missing part is native Kerberos authentication as a trusted identity source. It exists ? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi Simon, Thanks for the suggestion. So, ADCS replacement is something Smallstep offers commercially. If you haven't already, feel free to reach out to us if you'd like to learn more. Thanks, |
Beta Was this translation helpful? Give feedback.
Hi Simon,
Thanks for the suggestion.
Broadly speaking,
step-cais designed to serve DevOps use cases,and our commercial products revolve around IT use cases and certificates for endpoints,
with a focus on device and user identities.
So, ADCS replacement is something Smallstep offers commercially.
We currently have an option for dynamic SCEP (using NDES emulation), but we don't have Kerberos support (yet).
It's definitely an interesting area for us.
If you haven't already, feel free to reach out to us if you'd like to learn more.
Thanks,
Carl