Microsoft ADCS
SecTrail CM integrates with Microsoft Active Directory Certificate Services (ADCS) to enable automatic requesting and management of enterprise SSL/TLS certificates.
Connection Requirementsβ
| Requirement | Detail | Description |
|---|---|---|
| Protocol | HTTPS | Certificate Enrollment Web Service is used |
| Port | 443 (default) | Standard HTTPS port |
| Authentication | NTLM / Kerberos authentication | Windows authentication |
| User Permission | Certificate request and enrollment | Certificate request and enrollment permission |
Automatic Operationsβ
SecTrail CM automatically performs the following operations on Microsoft ADCS:
- Certificate Request: CSR submission
- Certificate Enrollment: Certificate issuance through ADCS
- Template Management: Using different certificate templates
- Automatic Approval: Automatic approval for configured templates
- Pending Order Tracking: Tracking certificates awaiting CA manager approval
Configuration Stepsβ
1. Add ADCS Serviceβ
Navigate to Certificate Authorities (CA) > ADCS > Accounts and click the Add New ADCS Service button:
Enter the following information:
- Domain Name: Active Directory domain name
- Hostname: Hostname of the ADCS server
- Username: Username for ADCS access. You can create a user from Automation > Device Users and select it here.
- Port: ADCS Web Enrollment service port (default: 443)
- Priority: Service priority level (between 1-10)
- Auth Method: Authentication method (NTLM / Kerberos)
Click Submit button to save the service.
2. View ADCS Servicesβ
After adding a service, it will be displayed in the Certificate Authorities (CA) > ADCS > Accounts list:
The list screen displays the following information:
Domain Name: The Active Directory domain name that SecTrail CM connects to when submitting certificate requests. All ADCS requests are routed to the ADCS server within this domain.
Hostname: The network address of the ADCS server.
Username: The account name used to authenticate against the ADCS server.
Port: The port number the ADCS Web Enrollment service listens on (default: 443).
Priority: Determines which server takes precedence when multiple ADCS services are configured (1β10, lower value means higher priority).
Templates: The list of certificate templates fetched from this ADCS server, available for use during certificate signing.
Service Operationsβ
The following operations can be performed for each service:
- Refresh: Re-fetches service information and the template list from the ADCS server
- Edit: Edit service connection settings
- Delete: Delete service
Ordersβ
After submitting a certificate request to ADCS, you can track all pending and completed orders from:
Certificate Authorities (CA) > ADCS > Orders
About Approval-Based Templatesβ
Some ADCS certificate templates require CA manager approval before issuance. When a certificate is requested using one of these templates, the request is not issued immediately β it is queued and must be manually approved by a CA administrator on the ADCS server.
If you submitted a certificate request using an approval-required template and the certificate has not been issued yet, navigate to Certificate Authorities (CA) > ADCS > Orders to check its status. Once the CA manager approves the request on the ADCS side, you can use the Fetch action to retrieve the issued certificate into SecTrail CM.
Order Fieldsβ
| Field | Description |
|---|---|
| Created At | Date and time the request was submitted to the ADCS server |
| Request ID | The request ID returned by ADCS after submission |
| Common Name | The domain name for which the certificate will be issued |
| ADCS Domain | The Active Directory domain name the request was routed to |
| Template | The ADCS certificate template used for signing |
| Status | The current status of the order (Issued, Pending, Denied) |
| Fetch Certificate | Action button used to import the issued certificate into the SecTrail CM inventory |
Order Statusesβ
- Issued π’: Certificate has been approved and issued β use Fetch to retrieve it
- Pending π‘: Awaiting CA manager approval on the ADCS server
- Denied π΄: Request was rejected by the CA manager
Order Operationsβ
- Fetch: Retrieve the issued certificate into SecTrail CM inventory
- Delete: Remove the order record
If your organization uses approval-required ADCS templates, coordinate with your CA administrator to approve pending requests. After approval, return to Certificate Authorities (CA) > ADCS > Orders and use Fetch to import the certificate.
With ADCS integration, you can perform certificate signing with your desired template. Template selection determines the certificate's validity period, purpose, and security level.