Skip to main content
This guide applies to Mac computers

About Active Directory Certificate Services

Microsoft Active Directory Certificate Services (AD CS) creates an on-premises public key infrastructure (PKI) that lets organizations issue, validate, and revoke certificates for internal use. The Iru Endpoint AD CS integration works with your existing Microsoft AD CS setup to request certificates from AD CS. You can then push these certificates to devices through configuration profiles, which enables certificate-based authentication so users can access corporate resources like enterprise Wi-Fi networks.

Network Requirements

For a full list of network requirements for Active Directory Certificate Services, please see our Using Iru Endpoint on Enterprise Networks support article.

AD CS Computer Certificate Template

Iru Endpoint uses an AD CS computer certificate template when requesting AD CS certificates within Library Items. For more details, see our AD CS Create a Computer Certificate Template support article.

AD CS Integration Configuration

The AD CS integration is configured from the Iru Endpoint Integrations page in your Iru Endpoint web app. Once setup is complete, you can manage Iru Endpoint AD CS Connector servers, add your AD CS certificate authority (CA) hosts, and create Library Items, all from the AD CS integration page.

Iru Endpoint AD CS Connector Installation

The AD CS Connector requires Windows Server 2016 or newer and Microsoft .NET (Core) 8 or later.
The Iru Endpoint AD CS Connector is a native Windows .NET client application installed on a Windows Server (2016 or newer) residing on your local network. The AD CS Connector leverages the WebSocket protocol over TCP port 443 to establish a persistent trusted connection with your Iru Endpoint tenant automatically, which removes the need to open specific ports. The AD CS Connector uses the Microsoft Remote Procedure Call framework to communicate with your local AD CS environment. Once installed, the AD CS Connector will be able to receive and facilitate certificate requests from and to Iru Endpoint on an ongoing basis.

Library Item Creation

Iru Endpoint can be used to create and distribute AD CS certificate configuration profiles to devices using the following Library Items:

Strong Certificate Mapping

To support Strong Certificate Mapping (required since Windows Update KB5014754), you need to be using Iru Endpoint Connector version 1.0.0.6 and add an ADCS Strong mapping ID uniform resource identifier (URI). In your Library Item’s Subject Alternative Name (SAN) section, click Add to create a URI SAN, then enter this exact value: $ADCS_STRONG_MAPPING_ID.

Certificate Request Flow

1

Send Certificate Request

Iru Endpoint sends a certificate request to the Iru Endpoint AD CS Connector through a WebSocket connection over TCP port 443.
2

Generate Key Pair

The AD CS Connector generates the certificate key pair (public and private keys) locally, then sends the certificate signing request to Microsoft AD CS using DCE/RPC. The keys are only stored on the managed endpoints where they’re deployed via Library Items.
3

Process Certificate Request

AD CS processes the request, issues the certificate, and sends the signed certificate back to the AD CS Connector.
4

Return Encrypted Certificate

The AD CS Connector sends back an encrypted .p12 file along with the request ID to Iru Endpoint over the WebSocket connection.
5

Deliver Certificate to Device

Iru Endpoint delivers the certificate bundle (.p12 file) to the client device through a configuration profile payload.
Certificate request flow diagram