ContextQMD
Back to Infisical

Microsoft AD CS

docs/documentation/platform/pki/ca/azure-adcs.mdx

0.159.2616.8 KB
Original Source

Issue and manage certificates using Microsoft Active Directory Certificate Services (ADCS) for enterprise-grade certificate management integrated with your existing Windows infrastructure.

Prerequisites

Before setting up ADCS integration, ensure you have:

  • Microsoft Active Directory Certificate Services (ADCS) server running and accessible
  • Domain administrator account with certificate management permissions
  • ADCS web enrollment enabled on your server
  • Network connectivity from Infisical to the ADCS server
  • IP whitelisting: Your ADCS server must allow connections from Infisical's IP addresses
    • For Infisical Cloud instances, see Networking Configuration for the list of IPs to whitelist
    • For self-hosted instances, whitelist your Infisical server's IP address
  • Azure ADCS app connection configured (see Azure ADCS Connection)

Infisical supports two ways to use AD CS: as an External CA for direct certificate issuance, or to sign internal intermediate CAs so you can build an Infisical-managed CA hierarchy backed by your AD CS server. With the intermediate CA approach, Infisical handles CSR submission and signing automatically — no manual steps needed during installation or renewal.

<Tabs> <Tab title="External CA"> This section walks you through the complete end-to-end process of setting up Azure ADCS integration and issuing your first certificate. 
<Steps>
  <Step title="Navigate to External Certificate Authorities">
    In your Infisical project, go to your **Certificate Project** →
    **Certificate Authority** to access the external CAs page. ![External CA
    Page](/images/platform/pki/azure-adcs/azure-adcs-external-ca-page.png)
  </Step>

  <Step title="Create New Azure ADCS Certificate Service CA">
    Click **Create CA** and configure: - **Type**: Choose **Active Directory
    Certificate Services (AD CS)** - **Name**: Friendly name for this CA (e.g.,
    "Production ADCS CA") - **App Connection**: Choose your ADCS connection from
    the dropdown ![External CA
    Form](/images/platform/pki/azure-adcs/azure-adcs-external-ca-form.png)
  </Step>

  <Step title="Certificate Authority Created">
    Once created, your Azure ADCS Certificate Authority will appear in the list
    and be ready for use. ![External CA
    Created](/images/platform/pki/azure-adcs/azure-adcs-external-ca-created.png)
  </Step>

  <Step title="Navigate to Subscribers">
    Go to **Subscribers** to access the subscribers page. ![Subscribers
    Page](/images/platform/pki/azure-adcs/azure-adcs-subscribers-page.png)
  </Step>

  <Step title="Create New Subscriber">
    Click **Add Subscriber** and configure: - **Name**: Unique subscriber name
    (e.g., "web-server-certs") - **Certificate Authority**: Select your ADCS CA -
    **Common Name**: Certificate CN (e.g., "api.example.com") - **Certificate
    Template**: Select from dynamically loaded ADCS templates - **Subject
    Alternative Names**: DNS names, IP addresses, or email addresses - **TTL**:
    Certificate validity period (e.g., "1y" for 1 year) - **Additional Subject
    Fields**: Organization, OU, locality, state, country, email (if required by
    template) ![Subscribers
    Form](/images/platform/pki/azure-adcs/azure-adcs-subscribers-form.png)
  </Step>

  <Step title="Subscriber Created">
    Your subscriber is now created and ready to issue certificates. ![Subscriber
    Created](/images/platform/pki/azure-adcs/azure-adcs-subscribers-created.png)
  </Step>

  <Step title="Issue New Certificate">
    Click into your subscriber and click **Order Certificate** to generate a new
    certificate using your ADCS template. ![Issue New
    Certificate](/images/platform/pki/azure-adcs/azure-adcs-subscriber-issue-new-certificate.png)
  </Step>

  <Step title="Certificate Created">
    Your certificate has been successfully issued by the ADCS server and is ready
    for use. ![Certificate
    Created](/images/platform/pki/azure-adcs/azure-adcs-certificate-created.png)
  </Step>

  <Step title="View Certificate Details">
    Navigate to **Certificates** to view detailed information about all issued
    certificates, including expiration dates, serial numbers, and certificate
    chains. ![Certificates
    Page](/images/platform/pki/azure-adcs/azure-adcs-certificates-page.png)
  </Step>
</Steps>

## Certificate Templates

Infisical automatically retrieves available certificate templates from your ADCS server, ensuring you can only select templates that are properly configured and accessible. The system dynamically discovers templates during the certificate authority setup and certificate issuance process.

### Common Template Types

ADCS templates you might see include:

- **Web Server**: For SSL/TLS certificates with server authentication
- **Computer**: For machine authentication certificates
- **User**: For client authentication certificates
- **Basic EFS**: For Encrypting File System certificates
- **EFS Recovery Agent**: For EFS data recovery
- **Administrator**: For administrative certificates
- **Subordinate Certification Authority**: For issuing CA certificates

### Template Requirements

Ensure your ADCS templates are configured with:

- **Enroll permissions** for your connection account
- **Auto-enroll permissions** if using automated workflows
- **Subject name requirements** matching your certificate requests
- **Key usage extensions** appropriate for your use case

<Info>
  **Dynamic Template Discovery**: Infisical queries your ADCS server in
  real-time to populate available templates. Only templates you have permission
  to use will be displayed during certificate issuance.
</Info>

## Certificate Issuance Limitations

### Immediate Issuance Only

<Warning>
  **Manual Approval Not Supported**: Infisical currently supports only
  **immediate certificate issuance**. Certificates that require manual approval
  or are held by ADCS policies cannot be issued through Infisical yet.
</Warning>

For successful certificate issuance, ensure your ADCS templates and policies are configured to:

- **Auto-approve** certificate requests without manual intervention
- **Not require** administrator approval for the templates you plan to use
- **Allow** the connection account to request and receive certificates immediately

### What Happens with Manual Approval

If a certificate request requires manual approval:

1. The request will be submitted to ADCS successfully
2. Infisical will attempt to retrieve the certificate with exponential backoff (up to 5 retries over ~1 minute)
3. If the certificate is not approved within this timeframe, the request will **fail**
4. **No background polling**: Currently, Infisical does not check for certificates that might be approved hours or days later

<Info>
  **Future Enhancement**: Background polling for delayed certificate approvals
  is planned for future releases.
</Info>

### Certificate Revocation

<Warning>
  Certificate revocation is **not supported** by the Azure ADCS connector due to
  security and complexity considerations.
</Warning>

## Advanced Configuration

### Custom Validity Periods

Enable custom certificate validity periods on your ADCS server:

```cmd
# Run on ADCS server as Administrator
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE
net stop certsvc
net start certsvc
```

This allows Infisical to control certificate expiration dates directly.
</Tab> <Tab title="Signing Internal Intermediate CAs"> In addition to using AD CS as an external CA for direct certificate issuance, you can use AD CS to **sign internal intermediate CAs** in Infisical. This lets you create an Infisical-managed CA hierarchy where the intermediate CA's certificate is issued by your AD CS server, with support for auto-renewal. 
## How It Works

1. Infisical generates a CSR for the intermediate CA.
2. The CSR is submitted to AD CS via Web Enrollment using the configured certificate template.
3. AD CS signs the certificate.
4. Infisical fetches the issuing CA's certificate to build the chain.
5. The signed certificate and chain are imported into the intermediate CA.

<Warning>
  The certificate template must be configured to allow "Supply in the request" for subject information,
  so that the CSR's subject fields are honored.
</Warning>

## Installing an Intermediate CA Certificate via AD CS

<Tabs>
  <Tab title="Infisical UI">
    <Steps>
      <Step title="Create an Intermediate CA">
        Go to **Certificate Authorities** > **Internal Certificate Authorities** and press **Create CA**.
        Set the type to **Intermediate** and fill out the CA details.
      </Step>
      <Step title="Open the Install Certificate Modal">
        Press **Install CA Certificate** on the intermediate CA. Select **External CA (Automated)** and press **Choose Integration**.
        ![pki install select method](/images/platform/pki/ca/ca-install-adcs-select-method.png)
      </Step>
      <Step title="Select Azure AD CS">
        Choose **Azure AD CS** as the integration provider.
        ![pki install external select](/images/platform/pki/ca/ca-install-adcs-external-select.png)
      </Step>
      <Step title="Configure Signing Details">
        ![pki install adcs form](/images/platform/pki/ca/ca-install-adcs.png)
        - **Azure AD CS Connection**: Select your AD CS Connection.
        - **Certificate Template**: The AD CS template name (e.g., `SubCA`).
        - **Validity Period**: Optional TTL (e.g., `365`). Requires `EDITF_ATTRIBUTEENDDATE` on the AD CS server.
        - **Path Length**: Max intermediate CAs below this one (`-1` for no limit, `0` to prevent chaining).
      </Step>
      <Step title="Install">
        Press **Install**. The request is queued and processed asynchronously.
      </Step>
    </Steps>
  </Tab>
  <Tab title="API">
    <Steps>
      <Step title="Create a Signing Configuration">
        ```bash Request
        curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/signing-config' \
          --header 'Authorization: Bearer <access-token>' \
          --header 'Content-Type: application/json' \
          --data-raw '{
              "type": "azure-ad-cs",
              "appConnectionId": "<adcs-connection-id>",
              "destinationConfig": {
                  "template": "SubCA",
                  "validityPeriod": 365
              }
          }'
        ```
      </Step>
      <Step title="Install the Certificate">
        ```bash Request
        curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/install-certificate-adcs' \
          --header 'Authorization: Bearer <access-token>' \
          --header 'Content-Type: application/json' \
          --data-raw '{
              "maxPathLength": -1
          }'
        ```

        Returns HTTP 202. Poll the CA details endpoint to check when the certificate has been installed.
      </Step>
    </Steps>
  </Tab>
</Tabs>

## Auto-Renewal

Infisical supports automatic renewal of intermediate CA certificates signed by AD CS. When enabled, Infisical will automatically submit a new CSR to AD CS and import the renewed certificate before the current one expires.

<Tabs>
  <Tab title="Infisical UI">
    Navigate to the CA details page of your AD CS-signed intermediate CA. Click the **edit** (pencil) icon in the Details section to open the renewal settings.

    ![pki adcs auto-renewal page](/images/platform/pki/ca/ca-adcs-auto-renewal-page.png)

    Toggle **Auto-Renewal** on and set the **Days Before Expiry** to configure when the renewal should be triggered.

    ![pki adcs auto-renewal modal](/images/platform/pki/ca/ca-adcs-auto-renewal-modal.png)
  </Tab>
  <Tab title="API">
    ### Enable Auto-Renewal

    ```bash Request
    curl --location --request PATCH 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/auto-renewal' \
      --header 'Authorization: Bearer <access-token>' \
      --header 'Content-Type: application/json' \
      --data-raw '{
          "autoRenewalEnabled": true,
          "autoRenewalDaysBeforeExpiry": 7
      }'
    ```

    ### Sample response

    ```json Response
    {
      "autoRenewalEnabled": true,
      "autoRenewalDaysBeforeExpiry": 7,
      "lastRenewalStatus": null,
      "lastRenewalMessage": null,
      "lastRenewalAt": null
    }
    ```

    <Note>
      - `autoRenewalDaysBeforeExpiry` must be less than the certificate's TTL and at most 30 days
      - Auto-renewal is only available for CAs with an external signing configuration (e.g., AD CS)
      - The renewal status can be checked via the GET auto-renewal endpoint
    </Note>
  </Tab>
</Tabs>

## Manual Renewal

You can also manually trigger a renewal for an AD CS-signed intermediate CA at any time. Each renewal submits a fresh CSR (AD CS has no renewal API).

<Tabs>
  <Tab title="Infisical UI">
    Navigate to the CA details page and press the **Renew CA** button.

    ![pki adcs renew page](/images/platform/pki/ca/ca-adcs-renew-page.png)

    The renewal modal will confirm that this CA is configured to use Azure AD CS for signing. Press **Renew via AD CS** to submit a new CSR to AD CS and install the renewed certificate.

    ![pki adcs renew modal](/images/platform/pki/ca/ca-adcs-renew-modal.png)
  </Tab>
  <Tab title="API">
    To manually renew an AD CS-signed CA, re-trigger the install flow via the API.

    ```bash Request
    curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/install-certificate-adcs' \
      --header 'Authorization: Bearer <access-token>' \
      --header 'Content-Type: application/json' \
      --data-raw '{
          "maxPathLength": -1
      }'
    ```

    This re-triggers the install flow — Infisical will submit a fresh CSR to AD CS and import the renewed certificate.
  </Tab>
</Tabs>
</Tab> </Tabs>

Troubleshooting

Common Issues

Certificate Request Denied

  • Verify ADCS template permissions for your connection account
  • Check template subject name requirements
  • Ensure template allows the requested key algorithm and size

Revocation Service Unavailable

  • Verify IIS is running and the revocation endpoint is accessible
  • Check IIS application pool permissions
  • Test endpoint connectivity from Infisical

Template Not Found

  • Verify template exists on ADCS server and is published
  • Check that your connection account has enrollment permissions for the template
  • Ensure the template is properly configured and available in the ADCS web enrollment interface
  • Templates are dynamically loaded - refresh the PKI Subscriber form if templates don't appear

Certificate Request Pending/Timeout

  • Check if your ADCS template requires manual approval - Infisical only supports immediate issuance
  • Verify the certificate template is configured for auto-approval
  • Ensure your connection account has sufficient permissions to request certificates without approval
  • Review ADCS server policies that might be holding the certificate request

Network Connectivity Issues

  • Verify your ADCS server's firewall allows connections from Infisical
  • For Infisical Cloud: Ensure Infisical's IP addresses are whitelisted (see Networking Configuration)
  • For self-hosted: Whitelist your Infisical server's IP address on the ADCS server
  • Test HTTPS connectivity to the ADCS web enrollment endpoint
  • Check for any network security appliances blocking the connection

Authentication Failures

  • Verify ADCS connection credentials
  • Check domain account permissions
  • Ensure network connectivity to ADCS server

SSL/TLS Certificate Errors

  • For ADCS servers with self-signed or private certificates: disable "Reject Unauthorized" in the SSL tab of your Azure ADCS app connection, or provide the certificate in PEM format
  • Common SSL errors: UNABLE_TO_VERIFY_LEAF_SIGNATURE, SELF_SIGNED_CERT_IN_CHAIN, CERT_HAS_EXPIRED
  • The SSL configuration applies to all HTTPS communications between Infisical and your ADCS server
  • Only HTTPS URLs are supported - HTTP connections are not allowed for security reasons