ADCS Connector¶
The Zaita ADCS Connector integrates the Zaita platform with Microsoft Active Directory Certificate Services (AD CS), enabling automated certificate discovery and provisioning against your existing Microsoft PKI infrastructure.
Overview¶
Active Directory Certificate Services is the certificate authority role built into Windows Server and widely deployed across enterprise environments. The ADCS Connector bridges the gap between your existing Microsoft PKI and the Zaita platform, providing centralised visibility and management of certificates issued by AD CS — without requiring changes to your existing CA infrastructure.
The Connector is deployed as a Windows Service on a system within your network that has connectivity to the domain controllers running AD CS. It communicates with the Zaita platform exclusively through a Bridge — direct communication with the SaaS control plane is not supported. This is a mandatory security requirement of the platform architecture, ensuring that all communication between the Connector and the SaaS is routed through an authenticated, encrypted channel via the Bridge.
Capabilities¶
Certificate Discovery¶
The ADCS Connector queries your AD CS infrastructure to discover certificates that have been issued, including their full metadata — subject, issuer, validity period, template, serial number, and revocation status. Discovered certificates are imported into the Zaita certificate inventory, providing centralised visibility alongside certificates from other sources.
Discovery is particularly valuable for organisations with large or long-established AD CS deployments where the full scope of issued certificates may not be well understood. It surfaces certificates across all templates and enrolment methods, regardless of how they were originally requested.
Certificate Provisioning¶
The Connector enables the Zaita platform to request and issue certificates through your existing AD CS certificate authorities. Provisioning requests are submitted through the Zaita web portal or API and fulfilled by the Connector against AD CS using native Microsoft enrolment protocols.
This allows organisations to consolidate certificate provisioning workflows within the Zaita platform while continuing to use their existing AD CS infrastructure as the issuing certificate authority. Certificate policies defined in the Zaita platform are enforced alongside any templates and constraints configured within AD CS.
Architecture¶
The ADCS Connector sits between the Zaita Bridge and your AD CS domain controllers:
Zaita SaaS ◄──── Bridge ◄──── ADCS Connector ────► AD CS Domain Controllers
(cloud) (on-prem) (on-prem) (on-prem)
All communication with the Zaita platform is mediated by the Bridge. The Connector never initiates outbound connections to the internet. The Bridge handles all SaaS communication, payload encryption and decryption, and trust token management — the Connector operates entirely within your internal network boundary.
The Connector communicates with AD CS domain controllers using native Windows protocols (DCOM/RPC), consistent with standard Microsoft certificate enrolment client behaviour.
Deployment¶
Prerequisites¶
- A Bridge deployed and registered within the same network, with connectivity to the system hosting the Connector
- A Windows Server host with network connectivity to the domain controllers running AD CS
- A domain-joined service account with appropriate permissions to query and enrol against the target certificate authorities
- .NET Runtime installed on the host system
Installation¶
The ADCS Connector is distributed as a Windows installer (.msi). Installation registers the Connector as a Windows Service that starts automatically and runs under the configured service account.
During installation, you will be prompted to provide:
| Parameter | Description |
|---|---|
| Bridge address | The hostname or IP address of the Bridge that this Connector will communicate through |
| Service account credentials | The domain account under which the Windows Service will run |
| Target CA configuration | The name and hostname of the AD CS certificate authority to connect to |
Once installed, the Connector registers with the platform through the Bridge and begins accepting work.
Service Account Permissions¶
The service account used by the ADCS Connector requires the following permissions:
- Read access to the certificate authority to enumerate issued certificates for discovery
- Enrol permissions on the relevant certificate templates to submit provisioning requests
- Read access to Active Directory for certificate template and CA configuration discovery
Follow the principle of least privilege — grant only the permissions necessary for the specific certificate authorities and templates that the Connector will operate against. Do not use a domain administrator account.
High Availability¶
Multiple instances of the ADCS Connector can be deployed for resilience. Each instance should be installed on a separate Windows host with independent connectivity to the target AD CS infrastructure. All instances communicate through a Bridge (which may itself be deployed in a high-availability configuration).
The platform distributes work across available Connector instances automatically. If one instance becomes unavailable, operations are routed to the remaining instances without manual intervention.
For organisations with multiple AD CS certificate authorities across different sites or domains, deploy a Connector instance in proximity to each CA to minimise latency and avoid cross-site dependencies.
Network Requirements¶
| Direction | Protocol | Destination | Purpose |
|---|---|---|---|
| Inbound | HTTPS | Bridge | Receive job payloads and return results |
| Outbound | DCOM/RPC | AD CS domain controllers | Certificate enrolment and discovery queries |
| Outbound | LDAP/LDAPS | Active Directory | Template and CA configuration discovery |
No internet access is required. All platform communication is handled by the Bridge.
Best Practices¶
- Deploy in proximity to your domain controllers — the Connector should have low-latency, reliable connectivity to the AD CS infrastructure it manages. Avoid routing Connector traffic across WAN links where possible.
- Use a dedicated service account — create a purpose-built domain service account with only the permissions required for discovery and enrolment. Audit this account's activity through your existing Active Directory monitoring.
- Deploy multiple instances — for any production environment, deploy at least two Connector instances on separate hosts to ensure continuity of discovery and provisioning operations.
- Monitor Connector status — the health and connectivity status of each Connector instance is visible in the Zaita web portal under Admin → Connectors. Configure alerts for disconnected instances so that availability issues are identified promptly.
- Keep the Connector updated — updates are managed through the Zaita platform and delivered via the Bridge. Apply updates promptly to ensure compatibility and access to the latest capabilities.
Next Steps¶
- Set up a Bridge if you have not already deployed one in the target network
- Review Bridge best practices for guidance on Bridge placement and high-availability configuration
- Learn about certificate discovery to understand how discovered AD CS certificates integrate with the broader certificate inventory
- Learn about certificate provisioning for details on provisioning workflows