We have a webserver that is based on Java and among other things it manages many users and creates & manages digital certificates (both private & public keys) for these.
I am looking for a way to automatically request, download and install a specific digital certificate (both private & public keys) from this webserver (via Kerberos authentication).
Use case: Thousands of client PCs that don't yet have a certificate installed have to communicate with this server in the future, thus they should get their individual certificates installed without any user-interaction. The client PCs are all using Windows and their infrastructure is based on a Windows Server of some sorts.
Initial thoughts were (for their Windows Server) to use group policy to some extent, with the help of tools such as "certutils" or "certreq" that are available via Windows. There are automatic enrollment options in these tools I believe (enrollmentServerURL?) and I would like to basically "ask our specific webserver for a certificate, get the certificate and install it."
However, the "how" alludes me.
Our webserver would have to be modified and basically "answer" such a request, no problem. But we first have to know what the actual request is from Windows/certutil/certreq/other tools. I am sure that Windows already has this capability, does anyone know how to do this? And if so, what kind of a request is actually sent to the webserver so I can "answer" this via the webserver? (Is Microsoft's "Certificate Enrollment Web Service" applicable for a Java webserver?)
After a lot of research I have found out that it is not possible for Windows certificate autoenrollment to point to an external CA or webserver.