Skip to main content

Microsoft CA

Link DigiCert​​®​​ Trust Lifecycle Manager to your Microsoft server to import, enroll, and manage certificates from private Microsoft certificate authorities (CAs).

Avviso

This page covers the basic process of adding a Microsoft CA connector in Trust Lifecycle Manager. For a complete guide covering all the steps needed to integrate with and get certificates from a Microsoft CA, refer to the Microsoft CA server integration guide.

Before you begin

The following tasks need to be completed before adding the Microsoft CA connector in Trust Lifecycle Manager:

  • Configure the Microsoft CA server to prepare for the integration.

  • Install the Windows version of the DigiCert sensor on a Windows system on your network that can connect to both Trust Lifecycle Manager and the Microsoft CA server.

    • The sensor system must be running Windows Server 2019 (or later) or Windows 10 Pro or Enterprise.

    • If installing the sensor on Windows 10 Pro or Enterprise, you must also install the Remote Server Administration Tools (RSAT) "Active Directory Certificate Services Tools" to enable the integration with Trust Lifecycle Manager. For installation instructions, visit the official Microsoft Download Center. This step is not required when installing the sensor on Windows Server.

    • The sensor system must be on the same domain or in the same forest as your Microsoft CA server. Do not install the DigiCert sensor on the Microsoft CA server system itself.

msca_integration_architecture_new.svg

Microsoft CA integration architecture.

Add Microsoft CA connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Certificate authorities section, select the tile for Microsoft.

    Complete the form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select an active DigiCert sensor to use to manage the integration.

  5. In the Link account section, enter the access details for the Microsoft CA server:

    • Hostname: The hostname of the Microsoft CA server. Must be resolvable by the managing sensor.

    • CA name: The name of the certificate authority (CA) to connect to as configured under Active Directory Certificate Services (AD CS) on the Microsoft CA server.

    • Username: The username of the service user on the Microsoft CA server in the format username@domain.

    • Password: The password for the above service user on the Microsoft CA server.

  6. Fill out the Import attributes section if you want to import existing certificates from the Microsoft CA:

    • Import certificates from this connector: Select whether to import certificates or not. If importing, select options for which certificates to import.

    • Business unit: Optionally assign a business unit to imported certificates. Only users assigned to this business unit can manage the imported certificates.

    • Microsoft CA certificate templates: The certificate templates to import certificates from on the Microsoft issuing CA.

      • All templates: To import certificates issued from all Microsoft CA certificate templates.

      • Specific templates: To enter the names of specific Microsoft CA certificate templates to import certificates from.

    • Tags: Optionally assign tags to imported certificates to help categorize and manage them.

    • Import frequency: If importing certificates, select scheduling options for ongoing import operations. Enter a value and select units (minutes, hours, or weeks) for how often to check for new certificates to import from the Microsoft CA. The default import frequency is every 15 minutes.

  7. Select Add  to create the Microsoft CA connector with the configured settings.

Legacy connectors

On July 18, 2024, DigiCert released a streamlined version of the Microsoft CA connector for Trust Lifecycle Manager that deprecated the need for installing the Microsoft CA Remoting Service (MCARS) software on the Microsoft CA server.

If you have legacy MCARS-based connectors in your account, you can still use them to issue and import certificates from your Microsoft CAs. However, DigiCert recommends replacing these legacy connectors with new connectors based on the new and more efficient integration architecture.

To learn more, see Legacy Microsoft CA connectors.

What's next