Axidian CertiFlow can work with Microsoft CAs that are located outside of the domain hosting the CertiFlow server.
This could be a scenario where a company has several independent domains with separate CAs in each domain, with Axidian CertiFlow deployed only in one of those domains. 

When issuing a smart card, Axidian CertiFlow addresses the MSCA Proxy, and the Proxy sends a request to the target CA using the Enrollment Agent certificate. 

Follow these steps to install and configure the MSCA Proxy application:

1. Create a service account for Microsoft CA in an external domain.

2. Configure the Enrollment Agent certificate template for the service account and issue the certificate.

   The Enrollment Agent certificate must reside in the certificate storage of a workstation (local computer) with CertiFlow.MSCA.Proxy component installed.

   
   

3. Install the CertiFlow.MSCA.Proxy.msi component on a workstation running in one domain with an external CA.

   System requirements for Proxy installation are the same as for Axidian CertiFlow server components.

   
   

4. Switch to C:\inetpub\wwwroot\mscaproxy folder and open Web.config file in Notepad as administrator.
5. Specify the following settings in caProxySettings section:
   • CA name in the ca parameter.
   • Credentials of the account with Enrollment Agent certificate (userName and password).

   • Thumbprint of the Enrollment Agent certificate in enrollmentAgentCertificateThumbprint parameter.

     <caProxySettings ca="servercm.external.com\EXTERNAL-CA" userName="EXTERNAL\extserviceca" password="p@ssw0rd" enrollmentAgentCertificateThumbprint="dbd1859d27395860843643ebe17e2ee3fc463aba"/>

     
     

6. Specify the service account for the CA in the allow users parameter of authorization section.

   <authorization> <deny users="?" /> <allow users="EXTERNAL\extserviceca" /> <deny users="*" /> </authorization>

   
   

7. Save your settings.