Microsoft AD CS - Infisical

Issue and manage certificates using Microsoft Active Directory Certificate Services (ADCS) for enterprise-grade certificate management integrated with your existing Windows infrastructure.

Prerequisites

Before setting up ADCS integration, ensure you have:

Microsoft Active Directory Certificate Services (ADCS) server running and accessible
Domain administrator account with certificate management permissions
ADCS web enrollment enabled on your server
Network connectivity from Infisical to the ADCS server
IP whitelisting: Your ADCS server must allow connections from Infisical’s IP addresses
- For Infisical Cloud instances, see Networking Configuration for the list of IPs to whitelist
- For self-hosted instances, whitelist your Infisical server’s IP address
Azure ADCS app connection configured (see Azure ADCS Connection)

Infisical supports two ways to use AD CS: as an External CA for direct certificate issuance, or to sign internal intermediate CAs so you can build an Infisical-managed CA hierarchy backed by your AD CS server. With the intermediate CA approach, Infisical handles CSR submission and signing automatically — no manual steps needed during installation or renewal.

External CA
Signing Internal Intermediate CAs

This section walks you through the complete end-to-end process of setting up Azure ADCS integration and issuing your first certificate.

Navigate to External Certificate Authorities

In Certificate Manager, go to Settings → Certificate Authorities and scroll to the External Certificate Authorities section.

Create New Azure ADCS Certificate Authority

Click Create CA and configure:

Type: Choose Active Directory Certificate Services (AD CS)
Name: Friendly name for this CA (e.g., “Production ADCS CA”)
App Connection: Choose your ADCS connection from the dropdown

Create a Certificate Profile

Go to Certificate Manager → Settings → Certificate Profiles and create a new profile:

Certificate Authority: Select your ADCS CA
Certificate Policy: Select a policy
Certificate Template: Select from dynamically loaded ADCS templates
Configure default certificate attributes (TTL, key algorithm, etc.)

Create an Application and Configure Enrollment

Go to Certificate Manager → Applications and create an Application:

Attach the profile you created
Configure an enrollment method (API, ACME, EST, or SCEP)
Assign team members who need to issue certificates

Issue a Certificate

In your Application, go to the Certificate Requests tab and click Request:

Select the profile linked to your ADCS CA
Fill in the certificate details (common name, SANs, TTL)
Click Submit

The certificate is submitted to ADCS and issued using your configured template.

Certificate Templates

Infisical automatically retrieves available certificate templates from your ADCS server, ensuring you can only select templates that are properly configured and accessible. The system dynamically discovers templates during the certificate authority setup and certificate issuance process.

Common Template Types

ADCS templates you might see include:

Web Server: For SSL/TLS certificates with server authentication
Computer: For machine authentication certificates
User: For client authentication certificates
Basic EFS: For Encrypting File System certificates
EFS Recovery Agent: For EFS data recovery
Administrator: For administrative certificates
Subordinate Certification Authority: For issuing CA certificates

Template Requirements

Ensure your ADCS templates are configured with:

Enroll permissions for your connection account
Auto-enroll permissions if using automated workflows
Subject name requirements matching your certificate requests
Key usage extensions appropriate for your use case

Dynamic Template Discovery: Infisical queries your ADCS server in real-time to populate available templates. Only templates you have permission to use will be displayed during certificate issuance.

Certificate Issuance Limitations

Immediate Issuance Only

Manual Approval Not Supported: Infisical currently supports only immediate certificate issuance. Certificates that require manual approval or are held by ADCS policies cannot be issued through Infisical yet.

For successful certificate issuance, ensure your ADCS templates and policies are configured to:

Auto-approve certificate requests without manual intervention
Not require administrator approval for the templates you plan to use
Allow the connection account to request and receive certificates immediately

What Happens with Manual Approval

If a certificate request requires manual approval:

The request will be submitted to ADCS successfully
Infisical will attempt to retrieve the certificate with exponential backoff (up to 5 retries over ~1 minute)
If the certificate is not approved within this timeframe, the request will fail
No background polling: Currently, Infisical does not check for certificates that might be approved hours or days later

Future Enhancement: Background polling for delayed certificate approvals is planned for future releases.

Certificate Revocation

Certificate revocation is not supported by the Azure ADCS connector due to security and complexity considerations.

Advanced Configuration

Custom Validity Periods

Enable custom certificate validity periods on your ADCS server:

# Run on ADCS server as Administrator
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE
net stop certsvc
net start certsvc

This allows Infisical to control certificate expiration dates directly.

In addition to using AD CS as an external CA for direct certificate issuance, you can use AD CS to sign internal intermediate CAs in Infisical. This lets you create an Infisical-managed CA hierarchy where the intermediate CA’s certificate is issued by your AD CS server, with support for auto-renewal.

How It Works

Infisical generates a CSR for the intermediate CA.
The CSR is submitted to AD CS via Web Enrollment using the configured certificate template.
AD CS signs the certificate.
Infisical fetches the issuing CA’s certificate to build the chain.
The signed certificate and chain are imported into the intermediate CA.

The certificate template must be configured to allow “Supply in the request” for subject information, so that the CSR’s subject fields are honored.

Installing an Intermediate CA Certificate via AD CS

Infisical UI
API

Create an Intermediate CA

Go to Certificate Authorities > Internal Certificate Authorities and press Create CA. Set the type to Intermediate and fill out the CA details.

Open the Install Certificate Modal

Press Install CA Certificate on the intermediate CA. Select External CA (Automated) and press Choose Integration.

Select Azure AD CS

Choose Azure AD CS as the integration provider.

Configure Signing Details

Configure the following:

Azure AD CS Connection: Select your AD CS Connection.
Certificate Template: The AD CS template name (e.g., SubCA).
Validity Period: Optional TTL (e.g., 365). Requires EDITF_ATTRIBUTEENDDATE on the AD CS server.
Path Length: Max intermediate CAs below this one (-1 for no limit, 0 to prevent chaining).

Install

Press Install. The request is queued and processed asynchronously.

Create a Signing Configuration

Request

curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/signing-config' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "type": "azure-ad-cs",
      "appConnectionId": "<adcs-connection-id>",
      "destinationConfig": {
          "template": "SubCA",
          "validityPeriod": 365
      }
  }'

Install the Certificate

Request

curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/install-certificate-adcs' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "maxPathLength": -1
  }'

Returns HTTP 202. Poll the CA details endpoint to check when the certificate has been installed.

Auto-Renewal

Infisical supports automatic renewal of intermediate CA certificates signed by AD CS. When enabled, Infisical will automatically submit a new CSR to AD CS and import the renewed certificate before the current one expires.

Infisical UI
API

Navigate to the CA details page of your AD CS-signed intermediate CA. Click the edit (pencil) icon in the Details section to open the renewal settings.Toggle Auto-Renewal on and set the Days Before Expiry to configure when the renewal should be triggered.

Enable Auto-Renewal

Request

curl --location --request PATCH 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/auto-renewal' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "autoRenewalEnabled": true,
      "autoRenewalDaysBeforeExpiry": 7
  }'

Sample response

Response

{
  "autoRenewalEnabled": true,
  "autoRenewalDaysBeforeExpiry": 7,
  "lastRenewalStatus": null,
  "lastRenewalMessage": null,
  "lastRenewalAt": null
}

autoRenewalDaysBeforeExpiry must be less than the certificate’s TTL and at most 30 days
Auto-renewal is only available for CAs with an external signing configuration (e.g., AD CS)
The renewal status can be checked via the GET auto-renewal endpoint

Manual Renewal

You can also manually trigger a renewal for an AD CS-signed intermediate CA at any time. Each renewal submits a fresh CSR (AD CS has no renewal API).

Infisical UI
API

Navigate to the CA details page and press the Renew CA button.The renewal modal will confirm that this CA is configured to use Azure AD CS for signing. Press Renew via AD CS to submit a new CSR to AD CS and install the renewed certificate.

To manually renew an AD CS-signed CA, re-trigger the install flow via the API.

Request

curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/install-certificate-adcs' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "maxPathLength": -1
  }'

This re-triggers the install flow — Infisical will submit a fresh CSR to AD CS and import the renewed certificate.

Troubleshooting

Certificate Request Denied

Verify ADCS template permissions for your connection account
Check template subject name requirements
Ensure template allows the requested key algorithm and size

Template Not Found

Verify the template exists on your ADCS server and is published
Check that your connection account has enrollment permissions
Templates are dynamically loaded — refresh the form if they don’t appear

Certificate Request Pending/Timeout

Infisical only supports immediate issuance. If your request times out:

Check if your ADCS template requires manual approval
Verify the template is configured for auto-approval
Review ADCS server policies that might be holding requests

Network Connectivity Issues

Verify your ADCS server’s firewall allows connections from Infisical
Infisical Cloud: Whitelist Infisical’s IPs (see Networking Configuration)
Self-hosted: Whitelist your Infisical server’s IP on the ADCS server
Test HTTPS connectivity to the ADCS web enrollment endpoint

Authentication Failures

Verify ADCS connection credentials
Check domain account permissions
Ensure network connectivity to the ADCS server

SSL/TLS Certificate Errors

Common errors: UNABLE_TO_VERIFY_LEAF_SIGNATURE, SELF_SIGNED_CERT_IN_CHAIN, CERT_HAS_EXPIREDFor ADCS servers with self-signed or private certificates, disable Reject Unauthorized in the SSL tab of your Azure ADCS app connection, or provide the CA certificate in PEM format.

​Prerequisites

​Certificate Templates

​Common Template Types

​Template Requirements

​Certificate Issuance Limitations

​Immediate Issuance Only

​What Happens with Manual Approval

​Certificate Revocation

​Advanced Configuration

​Custom Validity Periods

​How It Works

​Installing an Intermediate CA Certificate via AD CS

​Auto-Renewal

​Enable Auto-Renewal

​Sample response

​Manual Renewal

​Troubleshooting

Prerequisites

Certificate Templates

Common Template Types

Template Requirements

Certificate Issuance Limitations

Immediate Issuance Only

What Happens with Manual Approval

Certificate Revocation

Advanced Configuration

Custom Validity Periods

How It Works

Installing an Intermediate CA Certificate via AD CS

Auto-Renewal

Enable Auto-Renewal

Sample response

Manual Renewal

Troubleshooting