Microsoft AD CS
Issue from your Active Directory Certificate Services CA via CES/CEP or WSTEP enrollment. Templates, NTLM/Kerberos auth, and mutual-TLS to the enrollment endpoint.
01CES/CEP vs WSTEP
AD CS exposes two HTTPS-based enrollment families:
- CEP (Certificate Enrollment Policy) returns the list of templates available to the caller.
- CES (Certificate Enrollment Service) submits the CSR and returns the issued certificate.
- WSTEP is a single endpoint that does both — used by older AD CS deployments and by network devices.
CertAutoPilot speaks all three. Pick whichever your AD CS installation has enabled.
02Prerequisites
- An AD CS server with the CES/CEP roles or WSTEP installed.
- A service account in AD with permission to Read and Enroll the templates you want to use.
- Network reachability from the worker to the enrollment endpoint (typically port 443 on the CA host or an IIS frontend).
03Create the profile
- Settings → CA Providers → New → Microsoft AD CS.
- Endpoint URL — for CES/CEP, paste the policy URL (ends with
/CEP/service.svc/CEP). - Authentication — Username/password (NTLM), or upload a client certificate for mutual-TLS.
- Optional: TLS trust — if your CA chain isn't system-trusted, paste the issuing root.
- Save. The server fetches the policy, lists available templates, and stores the binding.
04Authentication modes
| Mode | Use when |
|---|---|
| Username/password (NTLM) | The most common. Pin to a service account with templated permissions. |
| Client certificate (mTLS) | Highest assurance. Issue the CertAutoPilot worker its own AD CS cert and use it to authenticate to the policy/enrollment endpoint. |
| Kerberos | Available when the worker host is domain-joined; usually only useful in pure-Windows clusters. |
05Templates
When issuing, the operator picks one of the templates returned by CEP. Common templates: WebServer, Computer, EnrollmentAgent. The template controls subject format, key usages, and validity period — CertAutoPilot honours those constraints and rejects mismatched CSR fields client-side before sending to the CA.
06Renewal
Renewal works the same as issuance — submit a new CSR against the same template. CertAutoPilot keeps the same logical certificate identity in the UI; the underlying X.509 changes, history is preserved.
!Troubleshooting
Policy fetch returns 401
Either credentials are wrong or NTLM/Kerberos is disabled on the IIS authentication settings of the policy site. Test with curl --ntlm -u DOMAIN\user:pass <url> from the worker host.
Template not visible
The service account is missing the Enroll permission. Open the template in Certificate Templates Console → Security tab → grant Enroll to the service account.
TLS handshake fails
The IIS frontend uses an internal CA your worker doesn't trust. Paste the issuing root into the profile's TLS trust field.