Skip to content
QCecuring

Microsoft AD CS

Microsoft AD CS Integration

Section titled “Microsoft AD CS Integration”

Integrate Microsoft Active Directory Certificate Services (AD CS) with SSL-CLM to:

  • Discover existing certificates
  • Sync certificate templates
  • Issue certificates
  • Revoke certificates
  • Maintain continuous CA refresh

SSL-CLM integrates with Microsoft AD CS using a Windows Agent that executes native certificate enrollment operations locally and relays results securely to the platform.

Architecture

Section titled “Architecture”

The SSL-CLM Agent must run on a domain-joined Windows server.

SSL-CLM Platform
│ (mTLS, Pull-Based Jobs)
Windows SSL-CLM Agent
│ (WinRm Command Line)
Microsoft AD CS

Step 1 — Verify AD CS Installation

Section titled “Step 1 — Verify AD CS Installation”

Confirm AD CS role is installed and running.

Windows Server Manager - AD CS Installed

Open the Certification Authority console:

Certification Authority Console

You should see your CA (e.g., qcecuring-local-ca).

Step 2 — Verify CA Connectivity

Section titled “Step 2 — Verify CA Connectivity”

From the Windows Agent server:

Terminal window
certutil -ping -config "WIN-6RM7FR3L231\qcecuring-local-ca"

Successful output:

certutil CA ping success

If you receive RPC Server Unavailable:

  • Check TCP 135
  • Verify firewall
  • Ensure CA service is running
  • Confirm DCOM permissions

Step 3 — Create Connector Config

Section titled “Step 3 — Create Connector Config”

Navigate:

Configuration → Connector Configs → New Connector

Configure:

  • Vendor: MSCA Agent
  • Type: Agent Gateway

Create Connector Config

Example JSON:

{
  "caIdentifier": "WIN-6RM7FR3L231\\qcecuring-local-ca",
  "serverHost": "WIN-6RM7FR3L231"
}

Step 4 — Create Certificate Authority Instance

Section titled “Step 4 — Create Certificate Authority Instance”

Navigate:

Discovery → Certificate Authorities → New Certificate Authority

Select:

  • Type: Microsoft CA
  • Connector: MSCA Agent Gateway

Create CA Instance

Save the configuration.

Step 5 — Register SSL-CLM Agent

Section titled “Step 5 — Register SSL-CLM Agent”

Navigate:

Operations → Agents → Register New Agent

Generate bootstrap token.

Create Agent Bootstrap Token

Step 6 — Start the Windows Agent

Section titled “Step 6 — Start the Windows Agent”

On the Windows server:

Terminal window
set API_URL=https://102.124.1.11:8080
set AGENT_BOOTSTRAP_TOKEN=YVtsWExUfDqF9LhsYYmjJroud6PKidW5IebRT-X9EUK


set AGENT_MSCA_ENABLED=true
set AGENT_MSCA_CA_IDENTIFIER=WIN-6RM7FR3L231\qcecuring-local-ca
set ADCS_SERVER=WIN-6RM7FR3L231
set ADCS_USERNAME=DomainUser
set ADCS_PASSWORD=StrongPassword


java -jar ssl-clm-agent.jar

Agent startup:

Windows Agent Launch

Agent should appear as ACTIVE in dashboard.

Step 7 — Load Templates

Section titled “Step 7 — Load Templates”

In the CA instance, click Load Templates.

This triggers a CA_REFRESH job.

Load Templates

Templates such as:

  • WebServer
  • WebServer-SSL-CLM
  • EnrollmentAgent
  • CodeSigning

Will appear.

Step 8 — Submit CSR

Section titled “Step 8 — Submit CSR”

Navigate:

Enrollment → Guided CSR

Fill certificate details and submit.

Submit CSR

Step 9 — View Issued Certificate

Section titled “Step 9 — View Issued Certificate”

After issuance, certificate status becomes Issued.

Issued CSR View

Flow:

  1. CSR stored in platform
  2. ISSUE_CERT job created
  3. Agent enrolls via MSCA
  4. Certificate returned
  5. Inventory updated