# Microsoft CA Integration

Microsoft CA Integration enables CERTInext to connect with Microsoft Active Directory Certificate Services (AD CS) for automated certificate issuance, renewal, and revocation. By configuring an AD CS connector, organizations can leverage their existing Microsoft PKI infrastructure while centralizing lifecycle management, automation, and reporting within CERTInext.

This integration allows CERTInext to securely communicate with AD CS Web Enrollment services and orchestrate certificate workflows across servers, applications, and user environments.

***

#### Navigation

**Integrations → CA Connectors → AD CS → +Create**

Once created, the connector appears under the AD CS listing page and becomes available for selection during certificate provisioning and bot configuration.

<figure><img src="/files/OJfaU9bVQlFpNQB5Kxzv" alt=""><figcaption></figcaption></figure>

#### Purpose

Integrating Microsoft CA enables:

* Automated issuance and renewal using AD CS templates
* Centralized lifecycle visibility within CERTInext
* Policy-driven certificate management
* Integration with provisioning bots for deployment
* Consolidated audit and reporting

CERTInext acts as an orchestration layer while AD CS remains the issuing authority.

#### Prerequisites

Before configuring the connector, ensure:

* AD CS Web Enrollment (certsrv) is enabled
* The CA server is reachable from the bot or CERTInext environment
* Required certificate templates are published in AD CS
* A service account with enrollment permissions is available (for Enterprise CA)
* Network connectivity over HTTPS is allowed

#### Configuring the AD CS Connector

To create a new connector:

1. Navigate to **Integrations → CA Connectors → AD CS**
2. Click **+Create**

<figure><img src="/files/uGFpnRofOZJcOJe0IqlZ" alt=""><figcaption></figcaption></figure>

3. Provide the required configuration details

#### Required Fields

**Name**\
Logical name for identifying the connector (for example: `Corp-ADCS-Primary`).

**Base URL**\
Web service endpoint for AD CS Web Enrollment.\
Example:\
`https://pki.example.com/certsrv`

**CA Setup Type**\
Choose the appropriate deployment type:

* **Standalone CA**\
  Used when AD CS operates independently without Active Directory integration.
* **Enterprise CA**\
  Used when AD CS is integrated with Active Directory and supports template-based enrollment.

When **Enterprise CA** is selected, additional authentication fields are required:

<figure><img src="/files/Slyzhzq6CqT6jWsvd0Kx" alt=""><figcaption></figcaption></figure>

* **Username** – Service account with enrollment rights
* **Password** – Corresponding credentials

Click **Create** to save the connector.

#### How It Works

When a certificate request is initiated in CERTInext:

1. CSR is generated or reused
2. Request is sent to AD CS via the configured Web Enrollment endpoint
3. AD CS validates policy and template rules
4. Certificate is issued and returned
5. Provisioning bot deploys the certificate to the target system

All issuance and renewal activities are logged within CERTInext for audit and traceability.

#### Operational Notes

* Only published AD CS templates are available during certificate ordering.
* If the Web Enrollment endpoint is unreachable, requests remain queued.
* Authentication failures typically indicate incorrect service account permissions.
* Enterprise CA mode requires proper template security configuration in AD CS.

#### Security Best Practices

* Use a dedicated least-privileged service account.
* Restrict connector access using firewall rules.
* Enforce HTTPS for Web Enrollment endpoints.
* Enable auditing within AD CS and CERTInext.

#### Troubleshooting

* Verify Web Enrollment access in a browser:\
  `https://<ca-server>/certsrv`
* Confirm template permissions allow the configured service account to enroll.
* Check connector status on the AD CS listing page.
* Review bot and connector logs if certificate issuance fails.

Microsoft CA Integration allows organizations to extend existing Microsoft PKI environments with automation, governance, and lifecycle visibility provided by CERTInext, without replacing their established certificate infrastructure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.certinext.io/documentation/certificate-authorities-and-trust-stores/integrating-private-cas/microsoft-ca-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.