ContextQMD
Back to Infisical

Microsoft AD CS

docs/documentation/platform/pki/ca/azure-adcs.mdx

0.160.114.5 KB
Original Source

Issue and manage certificates using Microsoft Active Directory Certificate Services (ADCS) for enterprise-grade certificate management integrated with your existing Windows infrastructure.

Prerequisites

Before setting up ADCS integration, ensure you have:

  • Microsoft Active Directory Certificate Services (ADCS) server running and accessible
  • Domain administrator account with certificate management permissions
  • ADCS web enrollment enabled on your server
  • Network connectivity from Infisical to the ADCS server
  • IP whitelisting: Your ADCS server must allow connections from Infisical's IP addresses
    • For Infisical Cloud instances, see Networking Configuration for the list of IPs to whitelist
    • For self-hosted instances, whitelist your Infisical server's IP address
  • Azure ADCS app connection configured (see Azure ADCS Connection)

Infisical supports two ways to use AD CS: as an External CA for direct certificate issuance, or to sign internal intermediate CAs so you can build an Infisical-managed CA hierarchy backed by your AD CS server. With the intermediate CA approach, Infisical handles CSR submission and signing automatically — no manual steps needed during installation or renewal.

<Tabs> <Tab title="External CA"> This section walks you through the complete end-to-end process of setting up Azure ADCS integration and issuing your first certificate. 
<Steps>
  <Step title="Navigate to External Certificate Authorities">
    In **Certificate Manager**, go to **Settings → Certificate Authorities** and scroll to the **External Certificate Authorities** section.
  </Step>

  <Step title="Create New Azure ADCS Certificate Authority">
    Click **Create CA** and configure:
    - **Type**: Choose **Active Directory Certificate Services (AD CS)**
    - **Name**: Friendly name for this CA (e.g., "Production ADCS CA")
    - **App Connection**: Choose your ADCS connection from the dropdown
  </Step>

  <Step title="Create a Certificate Profile">
    Go to **Certificate Manager → Settings → Certificate Profiles** and create a new profile:
    - **Certificate Authority**: Select your ADCS CA
    - **Certificate Policy**: Select a policy
    - **Certificate Template**: Select from dynamically loaded ADCS templates
    - Configure default certificate attributes (TTL, key algorithm, etc.)
  </Step>

  <Step title="Create an Application and Configure Enrollment">
    Go to **Certificate Manager → Applications** and create an Application:
    - Attach the profile you created
    - Configure an [enrollment method](/documentation/platform/pki/applications/enrollment-methods/overview) (API, ACME, EST, or SCEP)
    - Assign team members who need to issue certificates
  </Step>

  <Step title="Issue a Certificate">
    In your Application, go to the **Certificate Requests** tab and click **Request**:
    - Select the profile linked to your ADCS CA
    - Fill in the certificate details (common name, SANs, TTL)
    - Click **Submit**

    The certificate is submitted to ADCS and issued using your configured template.
  </Step>
</Steps>

## Certificate Templates

Infisical automatically retrieves available certificate templates from your ADCS server, ensuring you can only select templates that are properly configured and accessible. The system dynamically discovers templates during the certificate authority setup and certificate issuance process.

### Common Template Types

ADCS templates you might see include:

- **Web Server**: For SSL/TLS certificates with server authentication
- **Computer**: For machine authentication certificates
- **User**: For client authentication certificates
- **Basic EFS**: For Encrypting File System certificates
- **EFS Recovery Agent**: For EFS data recovery
- **Administrator**: For administrative certificates
- **Subordinate Certification Authority**: For issuing CA certificates

### Template Requirements

Ensure your ADCS templates are configured with:

- **Enroll permissions** for your connection account
- **Auto-enroll permissions** if using automated workflows
- **Subject name requirements** matching your certificate requests
- **Key usage extensions** appropriate for your use case

<Info>
  **Dynamic Template Discovery**: Infisical queries your ADCS server in
  real-time to populate available templates. Only templates you have permission
  to use will be displayed during certificate issuance.
</Info>

## Certificate Issuance Limitations

### Immediate Issuance Only

<Warning>
  **Manual Approval Not Supported**: Infisical currently supports only
  **immediate certificate issuance**. Certificates that require manual approval
  or are held by ADCS policies cannot be issued through Infisical yet.
</Warning>

For successful certificate issuance, ensure your ADCS templates and policies are configured to:

- **Auto-approve** certificate requests without manual intervention
- **Not require** administrator approval for the templates you plan to use
- **Allow** the connection account to request and receive certificates immediately

### What Happens with Manual Approval

If a certificate request requires manual approval:

1. The request will be submitted to ADCS successfully
2. Infisical will attempt to retrieve the certificate with exponential backoff (up to 5 retries over ~1 minute)
3. If the certificate is not approved within this timeframe, the request will **fail**
4. **No background polling**: Currently, Infisical does not check for certificates that might be approved hours or days later

<Info>
  **Future Enhancement**: Background polling for delayed certificate approvals
  is planned for future releases.
</Info>

### Certificate Revocation

<Warning>
  Certificate revocation is **not supported** by the Azure ADCS connector due to
  security and complexity considerations.
</Warning>

## Advanced Configuration

### Custom Validity Periods

Enable custom certificate validity periods on your ADCS server:

```cmd
# Run on ADCS server as Administrator
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE
net stop certsvc
net start certsvc
```

This allows Infisical to control certificate expiration dates directly.
</Tab> <Tab title="Signing Internal Intermediate CAs"> In addition to using AD CS as an external CA for direct certificate issuance, you can use AD CS to **sign internal intermediate CAs** in Infisical. This lets you create an Infisical-managed CA hierarchy where the intermediate CA's certificate is issued by your AD CS server, with support for auto-renewal. 
## How It Works

1. Infisical generates a CSR for the intermediate CA.
2. The CSR is submitted to AD CS via Web Enrollment using the configured certificate template.
3. AD CS signs the certificate.
4. Infisical fetches the issuing CA's certificate to build the chain.
5. The signed certificate and chain are imported into the intermediate CA.

<Warning>
  The certificate template must be configured to allow "Supply in the request" for subject information,
  so that the CSR's subject fields are honored.
</Warning>

## Installing an Intermediate CA Certificate via AD CS

<Tabs>
  <Tab title="Infisical UI">
    <Steps>
      <Step title="Create an Intermediate CA">
        Go to **Certificate Authorities** > **Internal Certificate Authorities** and press **Create CA**.
        Set the type to **Intermediate** and fill out the CA details.
      </Step>
      <Step title="Open the Install Certificate Modal">
        Press **Install CA Certificate** on the intermediate CA. Select **External CA (Automated)** and press **Choose Integration**.
      </Step>
      <Step title="Select Azure AD CS">
        Choose **Azure AD CS** as the integration provider.
      </Step>
      <Step title="Configure Signing Details">
        Configure the following:
        - **Azure AD CS Connection**: Select your AD CS Connection.
        - **Certificate Template**: The AD CS template name (e.g., `SubCA`).
        - **Validity Period**: Optional TTL (e.g., `365`). Requires `EDITF_ATTRIBUTEENDDATE` on the AD CS server.
        - **Path Length**: Max intermediate CAs below this one (`-1` for no limit, `0` to prevent chaining).
      </Step>
      <Step title="Install">
        Press **Install**. The request is queued and processed asynchronously.
      </Step>
    </Steps>
  </Tab>
  <Tab title="API">
    <Steps>
      <Step title="Create a Signing Configuration">
        ```bash Request
        curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/signing-config' \
          --header 'Authorization: Bearer <access-token>' \
          --header 'Content-Type: application/json' \
          --data-raw '{
              "type": "azure-ad-cs",
              "appConnectionId": "<adcs-connection-id>",
              "destinationConfig": {
                  "template": "SubCA",
                  "validityPeriod": 365
              }
          }'
        ```
      </Step>
      <Step title="Install the Certificate">
        ```bash Request
        curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/install-certificate-adcs' \
          --header 'Authorization: Bearer <access-token>' \
          --header 'Content-Type: application/json' \
          --data-raw '{
              "maxPathLength": -1
          }'
        ```

        Returns HTTP 202. Poll the CA details endpoint to check when the certificate has been installed.
      </Step>
    </Steps>
  </Tab>
</Tabs>

## Auto-Renewal

Infisical supports automatic renewal of intermediate CA certificates signed by AD CS. When enabled, Infisical will automatically submit a new CSR to AD CS and import the renewed certificate before the current one expires.

<Tabs>
  <Tab title="Infisical UI">
    Navigate to the CA details page of your AD CS-signed intermediate CA. Click the **edit** (pencil) icon in the Details section to open the renewal settings.

    Toggle **Auto-Renewal** on and set the **Days Before Expiry** to configure when the renewal should be triggered.
  </Tab>
  <Tab title="API">
    ### Enable Auto-Renewal

    ```bash Request
    curl --location --request PATCH 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/auto-renewal' \
      --header 'Authorization: Bearer <access-token>' \
      --header 'Content-Type: application/json' \
      --data-raw '{
          "autoRenewalEnabled": true,
          "autoRenewalDaysBeforeExpiry": 7
      }'
    ```

    ### Sample response

    ```json Response
    {
      "autoRenewalEnabled": true,
      "autoRenewalDaysBeforeExpiry": 7,
      "lastRenewalStatus": null,
      "lastRenewalMessage": null,
      "lastRenewalAt": null
    }
    ```

    <Note>
      - `autoRenewalDaysBeforeExpiry` must be less than the certificate's TTL and at most 30 days
      - Auto-renewal is only available for CAs with an external signing configuration (e.g., AD CS)
      - The renewal status can be checked via the GET auto-renewal endpoint
    </Note>
  </Tab>
</Tabs>

## Manual Renewal

You can also manually trigger a renewal for an AD CS-signed intermediate CA at any time. Each renewal submits a fresh CSR (AD CS has no renewal API).

<Tabs>
  <Tab title="Infisical UI">
    Navigate to the CA details page and press the **Renew CA** button.

    The renewal modal will confirm that this CA is configured to use Azure AD CS for signing. Press **Renew via AD CS** to submit a new CSR to AD CS and install the renewed certificate.
  </Tab>
  <Tab title="API">
    To manually renew an AD CS-signed CA, re-trigger the install flow via the API.

    ```bash Request
    curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/install-certificate-adcs' \
      --header 'Authorization: Bearer <access-token>' \
      --header 'Content-Type: application/json' \
      --data-raw '{
          "maxPathLength": -1
      }'
    ```

    This re-triggers the install flow — Infisical will submit a fresh CSR to AD CS and import the renewed certificate.
  </Tab>
</Tabs>
</Tab> </Tabs>

Troubleshooting

<AccordionGroup> <Accordion title="Certificate Request Denied"> - Verify ADCS template permissions for your connection account - Check template subject name requirements - Ensure template allows the requested key algorithm and size </Accordion> <Accordion title="Template Not Found"> - Verify the template exists on your ADCS server and is published - Check that your connection account has enrollment permissions - Templates are dynamically loaded — refresh the form if they don't appear </Accordion> <Accordion title="Certificate Request Pending/Timeout"> Infisical only supports **immediate issuance**. If your request times out: - Check if your ADCS template requires manual approval - Verify the template is configured for auto-approval - Review ADCS server policies that might be holding requests </Accordion> <Accordion title="Network Connectivity Issues"> - Verify your ADCS server's firewall allows connections from Infisical - **Infisical Cloud**: Whitelist Infisical's IPs (see [Networking Configuration](/documentation/setup/networking)) - **Self-hosted**: Whitelist your Infisical server's IP on the ADCS server - Test HTTPS connectivity to the ADCS web enrollment endpoint </Accordion> <Accordion title="Authentication Failures"> - Verify ADCS connection credentials - Check domain account permissions - Ensure network connectivity to the ADCS server </Accordion> <Accordion title="SSL/TLS Certificate Errors"> Common errors: `UNABLE_TO_VERIFY_LEAF_SIGNATURE`, `SELF_SIGNED_CERT_IN_CHAIN`, `CERT_HAS_EXPIRED` 
For ADCS servers with self-signed or private certificates, disable **Reject Unauthorized** in the SSL tab of your Azure ADCS app connection, or provide the CA certificate in PEM format.
</Accordion> </AccordionGroup>