Prerequisites
Before setting up a Microsoft ADCS certificate authority, configure a Microsoft ADCS app connection. It covers the AD CS server, the Infisical Gateway (including the network and port requirements), and the domain account used for enrollment. You can use AD CS in a few ways: as an External CA that issues certificates directly, to back a code signing signer, or to sign internal intermediate CAs so you can build an Infisical-managed CA hierarchy backed by your AD CS server. In every case the certificate template is chosen by the issuance flow (profile, signer, or intermediate CA), not by the CA itself.The certificate authority name is discovered automatically from the CA host. Provide it explicitly only when discovery cannot run in your environment.
- External CA
- Code Signing Signers
- Signing Internal Intermediate CAs
Navigate to External Certificate Authorities
In Certificate Manager, go to Certificate Authorities and scroll to the External Certificate Authorities section.
Create a New Microsoft ADCS Certificate Authority
Click Create CA and configure:
- Type: Choose Microsoft ADCS
- Name: Friendly name for this CA (for example,
production-adcs) - Microsoft ADCS Connection: Choose your Microsoft ADCS connection
- Certificate Authority: Optional. Leave blank to discover it automatically from the CA host.
Create a Certificate Profile
Go to Certificate Manager → Certificate Profiles and create a new profile:
- Certificate Authority: Select your ADCS CA
- Certificate Template: Select from the templates published on your CA
- Configure the default certificate attributes (TTL, key algorithm, and so on)
Create an Application and Configure Enrollment
Go to Certificate Manager → Applications and create an Application:
- Attach the profile you created
- Configure an enrollment method (API, ACME, EST, or SCEP)
- Assign the members who need to issue certificates
Certificate Templates
Infisical retrieves the templates published on your CA in real time, so a profile can only reference a template that exists and is reachable. The template lives on the issuance flow (the profile), not on the CA.Before using a template, verify the following in AD CS:- Enroll permission: The domain account you configured in the ADCS connection must have Enroll permission on the template.
- Subject name: The template’s subject name policy must be compatible with the certificates you plan to request (required fields, allowed patterns, and so on).
- Key usage: The template’s key usage and extended key usage must match what you need (for example, Server Authentication for TLS certificates).
Limitations
- Templates that require manual approval or are held by CA policy are not supported. Requests are issued immediately.
- Authentication uses NTLM. Kerberos is not yet supported.
Troubleshooting
The requested certificate template is not supported
The requested certificate template is not supported
The CA rejected the request with
CERTSRV_E_UNSUPPORTED_CERT_TYPE. The template is either not published on the CA or the name is wrong. Confirm the template is published (certutil -CATemplates) and that the name matches exactly.Enroll permission denied
Enroll permission denied
The connection account does not have Enroll permission on the requested template. Grant Enroll to the account on the template’s security settings.
The certificate authority name could not be discovered
The certificate authority name could not be discovered
Signer rejected: missing Code Signing extended key usage
Signer rejected: missing Code Signing extended key usage
The template used for a code signing signer does not produce a code-signing certificate. Point the signer at a template that carries the Code Signing extended key usage.
Gateway connectivity issues
Gateway connectivity issues
Verify the Gateway can reach the AD CS host over DCOM (MS-WCCE) and that the domain account credentials are correct.