Active Directory Certificate Services (AD CS) Integration: Overview

By Emalee Firestein

Learn how Kandji's AD CS integration works


Microsoft Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure (PKI) by which it can create, validate, and revoke certificates for internal use within an organization. The Kandji AD CS integration communicates with an existing Microsoft AD CS environment to request AD CS certificates. These certificates can then be delivered to devices via configuration profiles, enabling certificate-based authentication flows through which end users can access corporate resources such as enterprise Wi-Fi networks.

Configuration Steps

  1. Set up and configure the Kandji AD CS integration.
  2. Create an AD CS computer certificate template.
  3. Install the Kandji AD CS Connector Windows application.
  4. Create Library Items to deploy AD CS certificates to devices.

Network requirements

For a full list of network requirements for Active Directory Certificate Services, please see the Using Kandji in Enterprise Environments support article.

AD CS Integration Setup and Configuration

The AD CS integration is configured from the Kandji Integrations marketplace in your Kandji web app. Once the setup is complete, you can manage Kandji AD CS Connector servers, add your Microsoft AD CS certificate authority (CA) hosts, and create Library Items, all from the AD CS integration page. For more information, please see our AD CS Integration Setup and Configuration support article.

The Kandji AD CS Connector installer media is downloaded during the initial integration setup.

AD CS Computer Certificate Template

Kandji uses an AD CS computer certificate template when requesting AD CS certificates within Library Items. For more details, see our AD CS Create a Computer Certificate Template support article.

Kandji AD CS Connector Installation

The Kandji AD CS Connector is a native Windows .NET client application installed on a Windows server (2016 or newer) residing on your local network. The AD CS Connector leverages the WebSocket protocol over TCP port 443 to automatically establish a persistent trusted connection with your Kandji tenant. This makes the initial installation and setup very intuitive and, in most environments, removes the need to open specific ports. The AD CS Connector uses the Microsoft Remote Procedure Call framework to communicate with your local AD CS environment. Once installed, the AD CS Connector will be able to receive and facilitate certificate requests from and to Kandji on an ongoing basis.

Library Item Creation

Kandji can be used to create and distribute AD CS certificate configuration profiles to devices using Library Items.

Certificate Request Flow

  1. A certificate request is sent from Kandji to the Kandji AD CS Connector over the WebSocket connection (TCP 443).

  2. The AD CS Connector generates the certificate key pair (public and private) locally and sends the certificate signing request to Microsoft AD CS via DCE/RPC. Note: keys are never stored anywhere other than the managed endpoints where they have been installed via Library Items.

  3. AD CS processes the request, issues the certificate, and sends the signed certificate back to the AD CS Connector.

  4. The AD CS Connector forwards an encrypted .p12 file and request ID back to Kandji over the WebSocket.

  5. Finally, Kandji sends the certificate bundle (.p12) down to the client device in a configuration profile payload.