Microsoft CA server

Integration guide

This guide covers the complete process needed to set up a Microsoft CA server integration using the DigiCert MCARS service along with a CA connector in DigiCert® Trust Lifecycle Manager.

The resulting integration supports discovery of existing certificates from the Microsoft CA into your Trust Lifecycle Manager account, where you can monitor and manage them. It also lets you use Trust Lifecycle Manager to enroll new certificates against the Microsoft CA.

Architecture

The integration consists of three main system components:

Microsoft CA server. You need to install and configure DigiCert®'s Microsoft CA Remoting Service (MCARS) service here to support the integration.
DigiCert sensor. Used to manage the integration. You need to install it onto a dedicated host on your network that can connect to both DigiCert Trust Lifecycle Manager and the DigiCert MCARS service on the Microsoft CA server.
DigiCert Trust Lifecycle Manager. The central management platform where you configure the connector and subsequently discover, enroll, and manage certificates from the integrated Microsoft CA.

System requirements

On the Microsoft CA server:

Microsoft Windows Server 2019 or later.
Microsoft Active Directory Certificate Services (AD CS) installed.
Java 8 (64-bit) Java Runtime Environment (JRE) installed, with the JAVA_HOME environment variable defined and pointing at the JRE bin folder.

Network requirements

The DigiCert sensor must be able to connect outbound to Trust Lifecycle Manager over HTTPS (port 8443).
Note: The sensor uses a pull model to communicate with Trust Lifecycle Manager so there are no inbound access requirements.
The DigiCert sensor must be able to connect to the MCARS service on the Microsoft CA server. The MCARS service listens on port 7443 by default, but this can be modified during the configuration process.

Workflow

The complete process of integrating with and enrolling certificates from a Microsoft CA server involves these steps:

In this section: