Microsoft AD CS
Microsoft AD CS Integration
Section titled “Microsoft AD CS Integration”Short Summary: Issue certificates from your on-premise Microsoft CA using the Agent as a DCOM bridge.
Architecture
Section titled “Architecture”Unlike Cloud CAs, MSCA uses DCOM/RPC. The SSL-CLM Agent must run on a Windows Server joined to the domain to “proxy” these requests.
Prerequisites
Section titled “Prerequisites”- Agent OS: Windows Server 2016+.
- Service Account: Domain User with
Enrollpermissions on the CA. - Firewall: Port 135 and Dynamic RPC between Agent and CA.
Configuration
Section titled “Configuration”1. Prepare Agent
Section titled “1. Prepare Agent”Edit application.properties:
agent.msca.enabled=trueagent.msca.config-string=CA-Hostname.corp.local\\My-Corp-CA2. Add Gateway
Section titled “2. Add Gateway”- Navigate: Admin > CA Gateways > Add New.
- Select Provider:
Microsoft AD CS. - Agent: Select the Windows Agent configured above.
- Templates: Click “Fetch Templates” to sync available certificate types (e.g.,
WebServer).
Troubleshooting
Section titled “Troubleshooting”Issue: “RPC Server Unavailable”
Fix: Check firewall rules. Use certutil -ping -config "HOST\NAME" on the Agent to verify connectivity.