Skip to main content
Issue and manage certificates using Microsoft Active Directory Certificate Services (AD CS) over the Windows Client Certificate Enrollment protocol (MS-WCCE). Requests are relayed through an Infisical Gateway that runs inside your network, so the AD CS server is never exposed to Infisical.

Prerequisites

Before setting up a Microsoft ADCS certificate authority, configure a Microsoft ADCS app connection. It covers the AD CS server, the Infisical Gateway (including the network and port requirements), and the domain account used for enrollment. You can use AD CS in a few ways: as an External CA that issues certificates directly, to back a code signing signer, or to sign internal intermediate CAs so you can build an Infisical-managed CA hierarchy backed by your AD CS server. In every case the certificate template is chosen by the issuance flow (profile, signer, or intermediate CA), not by the CA itself.
The certificate authority name is discovered automatically from the CA host. Provide it explicitly only when discovery cannot run in your environment.
1

Navigate to External Certificate Authorities

In Certificate Manager, go to Certificate Authorities and scroll to the External Certificate Authorities section.
2

Create a New Microsoft ADCS Certificate Authority

Click Create CA and configure:
  • Type: Choose Microsoft ADCS
  • Name: Friendly name for this CA (for example, production-adcs)
  • Microsoft ADCS Connection: Choose your Microsoft ADCS connection
  • Certificate Authority: Optional. Leave blank to discover it automatically from the CA host.
3

Create a Certificate Profile

Go to Certificate Manager → Certificate Profiles and create a new profile:
  • Certificate Authority: Select your ADCS CA
  • Certificate Template: Select from the templates published on your CA
  • Configure the default certificate attributes (TTL, key algorithm, and so on)
4

Create an Application and Configure Enrollment

Go to Certificate Manager → Applications and create an Application:
  • Attach the profile you created
  • Configure an enrollment method (API, ACME, EST, or SCEP)
  • Assign the members who need to issue certificates
5

Issue a Certificate

In your Application, go to the Certificate Requests tab and click Request:
  • Select the profile linked to your ADCS CA
  • Fill in the certificate details (common name, SANs, TTL)
  • Click Submit
The request is relayed through the Gateway to AD CS and issued using the profile’s template.

Certificate Templates

Infisical retrieves the templates published on your CA in real time, so a profile can only reference a template that exists and is reachable. The template lives on the issuance flow (the profile), not on the CA.Before using a template, verify the following in AD CS:
  • Enroll permission: The domain account you configured in the ADCS connection must have Enroll permission on the template.
  • Subject name: The template’s subject name policy must be compatible with the certificates you plan to request (required fields, allowed patterns, and so on).
  • Key usage: The template’s key usage and extended key usage must match what you need (for example, Server Authentication for TLS certificates).

Limitations

  • Templates that require manual approval or are held by CA policy are not supported. Requests are issued immediately.
  • Authentication uses NTLM. Kerberos is not yet supported.

Troubleshooting

The CA rejected the request with CERTSRV_E_UNSUPPORTED_CERT_TYPE. The template is either not published on the CA or the name is wrong. Confirm the template is published (certutil -CATemplates) and that the name matches exactly.
The connection account does not have Enroll permission on the requested template. Grant Enroll to the account on the template’s security settings.
Discovery reads the CA name from the host’s registry over the network, which requires the Remote Registry service to be running and reachable from the Gateway. If it cannot run, set the certificate authority name explicitly on the external CA.
The template used for a code signing signer does not produce a code-signing certificate. Point the signer at a template that carries the Code Signing extended key usage.
Verify the Gateway can reach the AD CS host over DCOM (MS-WCCE) and that the domain account credentials are correct.