Link Search Menu Expand Document

Certdog ADCS Driver

This component is the interface to ADCS (Active Directory Certificate Services)

You have the option of installing this together with the other components but it can also be installed separately and/or on other machines

Multiple instances of the driver can be installed in the same domain


  • Windows Server 2016
  • Windows Server 2019
  • .NET Framework 4.8 Runtime

The server hosting the driver must be in the same domain as the Microsoft CA you wish to obtain certificates from

Ensure that port 27017 is open to wherever the database is hosted i.e. the server hosting the database must allow incoming connections on port 27017 from the machine hosting the ADCS Driver. This is only required if the ADCS driver is being installed on a separate machine


  1. From the .\certdog\install\install directory, run: install-adcs-service.ps1

  2. The installer will attempt to locate the database URL but if prompted, you must enter this

  3. The full URL starts: mongodb://certmanuser...

  4. If you do not know what this value is, in the main installation, locate this file:

  5. .\certdog\config\ the database URL is referenced by the property e.g.

In this case the URL that must be entered is:


This URL contains sensitive information. Do not store unprotected. Once entered the ADCS driver will store this value encrypted

Monitor the system’s Event Log for entries in the Application log with Source: CertdogAdcsDriver

If you see entries such as the following:

Unable to connect to database at Details: Connection  to database is down. Check URL and connectivity - including any whitelists Will  try again in 30 seconds

This indicates that either the database URL was not set correctly or the TLS certificate is not trusted

If the UI is working OK then the most likely cause is that the TLS certificate is not trusted. If you are still using the default certificate bundled with the system, you can (temporarily) install this certificate:


Into the Local Machine Trusted Root Certification Authorities store. Then restart the ADCS service

If this does not resolve the issue, check that the main server’s 27017 port can be accessed from this location and the database URL entered is correct


Login to the UI and select Administration > Agents from the menu

You should see an entry for the agent. It will be named the FQDN of the machine it resides on

Click this entry and select Approve

The agent will now be able to process requests

Note that when configuring a Certificate Issuer for a Microsoft CA you must select the agent that you want to process requests for that CA

File Logging

To enable more logging, set the following environment variable to true:



And restart the Krestfield Adcs Driver from the services snapin

The log file will be written to:

Environment.SpecialFolder.CommonApplicationData \Krestfield\AdcsAgent

Which is here in Windows Server 2019


Note: This log provides debug level, verbose output and may be useful for tracing issues but the log file will continue to grow. You should therefore, switch this level of logging off when not required


By default, the driver creates a number of threads (typically 5) to process certificate requests. But this value can be tuned, if required

To change this value, set the following environment variable to the number of threads required:



Restart the Krestfield Adcs Driver from the services snapin