Skip to content

Set up Microsoft AD CS for issuing and importing certificates

The steps below will take you through everything you need to do to get your AD CS service integrated with Venafi as a Service. After completing these steps, you'll be able to import existing certificates and issue new certificates.

Before you begin

Have the following ready before you start:

  • Linux server to run VSatellite. The server must meet the following minimum requirements
    • Ubuntu LTS 18.04 or later
    • CentOS 8.3-2011 or later
    • VSatellite outbound access to the following API endpoints and ports:
      • 443 - api.venafi.cloud
      • 443 - dl.venafi.cloud
      • 9443 - vsat-gw.venafi.cloud
    • 4 GB RAM
    • 2 CPUs
    • 10 GB disk space
  • Windows server to run VSatellite Worker. The server must meet the following minimum requirements:
    • Windows Server 2019
    • Microsoft .NET Framework 4.7.0 or higher
    • Access to ports 135 and 49152 - 65535 on AD CS Service
    • VSatellite connectivity to the VSatellite Worker - port 8085 (default) or the custom port specified during VSatellite Worker installation
    • 4 GB RAM
    • 2 CPUs
    • 300 GB disk space
  • Completed AD CS configuration
  • IP or hostname of your Microsoft AD CS server
  • Username and password used to authenticate to Microsoft AD CS
  • Microsoft AD CS Issuing Certificate Common Name

Step 1: Connect your AD CS server to Venafi as a Service

First, we'll set up the connection between your Microsoft AD CS server and Venafi as a Service. If you don't already have a VSatellite or VSatellite Worker, these steps will walk you through those installations. If you do, then you can just select them during setup.

  1. Sign to Venafi as a Service at https://ui.venafi.cloud.
  2. Click Settings > Certificate Authorities.
  3. Click New > Microsoft AD CS.
  4. Enter a Name for the Certificate Authority.

    Note

    This is the name that will be used throughout Venafi as a Service for this CA.

  5. From the VSatellite Worker drop-down, select the VSatellite Worker to use in this configuration.

    If you don't have a VSatellite Worker yet, click the box below for instructions on setting one up.

    Don't have a VSatellite Worker yet? Follow these steps to set one up.
    1. Click Deploy VSatellite Worker.

      If you're installing the VSatellite Worker on a Windows server that has internet access, select "Online Installation." If the Server does not have internet access, select "Offline Installation."

      Copy the VSatellite Worker installation command, and then run the script in a PowerShell prompt on the Windows server where you're setting up your VSatellite Worker.

      To use a port other than the default port 8085, replace the port number following the --port flag before running the installation command.

      1. Copy the VSatellite Worker download command, and run it in a PowerShell prompt from a machine with internet connectivity.

        This downloads the VSatellite Worker installer (VSatelliteWorkerInstaller.msi) and VSatellite Worker (vsatworkectl.exe).

      2. Move both files to the same directory on the Windows server you want to install VSatellite Worker on.

      3. After moving the files, copy the VSatellite Worker installation command, and then run the script in a PowerShell prompt on the Windows server you're setting up as your VSatellite Worker.

        To use a port other than the default port 8085, replace the port number following the --port flag before running the installation command.

    2. Follow the on-screen prompts to complete the installation.

    3. Check if the VSatellite Worker service is running on the Windows server by going to the Start menu and typing Services. From there, open the Services app, and in the Name column, look for VSatWorkerService.

    4. After the VSatellite Worker is up and running, return to the Venafi as a Service screen, and click Continue.

    5. In the VSatellite Worker server address, enter the FQDN or IP address of the Windows server where you installed the VSatellite Worker. Include the port number. The default port is 8085, but if you set a different port during installation, enter that port instead.

    6. Click Set.

    7. To complete the setup, the VSatellite Worker needs to be paired with a VSatellite. If you already have a VSatellite in place, you can select it from the VSatellite drop-down.

      If you need to set up a VSatellite, see the section below.

    Do you also need to set up a VSatellite? Follow these steps

    A VSatellite Worker needs to be paired with a VSatellite in order to communicate with Venafi as a Service.

    1. Click Deploy VSatellite. The Deploy a VSatellite page opens.

    2. From the VSatellite deployment script, click Copy Code to copy the entire command.

    3. Run the command on the Linux server you've set up to be your VSatellite. Follow the on-screen instructions to complete the installation.

      Note

      The installation may take up to 10 minutes.

    4. After installation, return to the Deploy a VSatellite screen in Venafi as a Service, and click Test Connection.

      Note

      Activating the VSatellite takes a few seconds. If Test Connection fails initially, click the button again to re-test the connection until it succeeds, and the Done button at the bottom of the screen is enabled.

    5. Click Done. You are returned to the Deploy VSatellite Worker page.

    6. The VSatellite drop-down should now show the VSatellite you just deployed. Click Pair to connect the VSatellite Worker to the VSatellite.

    7. Click Done. You are returned to the Connection page, and the VSatellite Worker drop-down is populated with the VSatellite Worker you just set up.

  6. Click Next.

Step 2: Enter your AD CS information

Next, we'll enter your Microsoft AD CS server information and credentials so that Venafi as a Service can authenticate to your AD CS server.

  1. In the AD CS administrative address field, enter the IP address or hostname of your Microsoft AD CS server.

  2. In the Common Name (CN) of the CA's certificate box, enter the Common Name of the Microsoft AD CS Issuing (root) Certificate.

  3. Enter the Username and Password to authenticate with Microsoft AD CS.

    AD CS Permissions

    The account you use must have Read, Issue and Manage Certificates, and Request Certificates permissions to the Microsoft AD CS server.

  4. Click Test credentials.

Step 3: Select AD CS issuance templates to map to Venafi as a Service

Now that the connection is made, we can set up certificate issuance through Venafi as a Service. This step is required only if you want to issue new TLS server authentication certificates through Venafi as a Service. If you just want to import existing certificates, see the import existing certificates steps below.

  1. Click in the Issuance templates field. After clicking in the field, Venafi as a Service queries your AD CS and returns a list of issuance templates from your AD CS server.

  2. Select the AD CS issuance templates that you want to map to Venafi as a Service.

  3. Click Add.

    Venafi as a Service tests all the templates you selected. Templates with a Passed result are available to map to Certificate Issuing Templates in Venafi as a Service. Those with a Failed result are not.

    Why did some templates fail?

    After adding templates, Venafi as a Service issues test certificates using each of the AD CS issuance templates. Venafi as a Service supports issuance through templates that:

    • Have Server Authentication set in the Application Policies setting of the Extensions tab on the issuance template
    • Allow issuing certificates using RSA keys
    • Supply the Subject Name in the request (can’t issue certificates with SN build from the AD)

    Issuance templates that are incapable of issuing such certificates fail the Venafi as a Service issuance test. This is expected. Some of the predefined (default) Issuance templates that will fail are:

    • DirectoryEmailReplication
    • DomainController
    • DomainControllerAuthentication
    • KerberosAuthentication

    Only the certificates that pass the test will be available when mapping AD CS templates to Venafi as a Service templates.

  4. Click Next.

On the Statistics tab of your Microsoft AD CS certificate authority, you see a summary of your certificates. Click on any number to open a pre-filtered Certificate Inventory page to see those certificates.

What's Next?

Now that your AD CS templates are mapped to Venafi as a Service, you can create a Certificate Issuing Template and associate your AD CS templates with Venafi as a Service issuing templates.

Select Microsoft from the New Certificate Issuing template screen. The AD CS templates that passed validation will show up in the Product Option drop-down.

Step 4: Import existing certificates from AD CS

This step is required only if you want to import existing certificates from AD CS.

  1. Click in the Import templates box. After clicking in the box, Venafi as a Service queries your AD CS and returns a list of templates from your AD CS server.

  2. Select the AD CS templates that you want to import certificates from. Only certificates issued by the templates you select will be imported.

  3. Click Add.

  4. If you want to schedule the import to occur on a regular basis, click the AD CS Import slider, and then set the import interval. This option is available only if one or more AD CS templates were added in the previous steps.

  5. Under Import options, select whether you want to import revoked or expired certificates.

  6. Click Done.

Venafi as a Service imports the certificates.

On the Statistics tab of your Microsoft AD CS certificate authority, you see a summary of your certificates. Click on any number to open a pre-filtered Certificate Inventory page to see those certificates.

Troubleshooting

If you run into trouble getting the AD CS integration set up, contact Venafi Support.


Last update: November 20, 2021