For CAs that are not well known, you must add the root CA certificate and intermediate certificate in Active Directory. These steps allow the root CA certificate to be installed in your client systems' Trusted Root stores. For example, you might need to take these steps if your organization uses an internal certificate service.

If your SSL server certificates are signed by a well known CA, you do not have to add certificates in Active Directory. For well known CAs, the operating system venders preinstall the root certificate on client systems.

Specifically, if you use a little-known CA to provide SSL server certificates, you must add the root certificate to the Enterprise NTAuth store and the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.

If your SSL server certificates are signed by an little-known intermediate CA, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory.

1

On your Active Directory server, use the certutil command to publish the certificate to the Enterprise NTAuth store.

For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA

2

On your Active Directory server, select Start > All Programs > Administrative Tools > Active Directory Users and Computers.

3

Right-click your domain and click Properties.

4

On the Group Policy tab, click Open to open the Group Policy Management plug-in.

5

Right-click Default Domain Policy and click Edit.

6

Expand the Computer Configuration section and open Windows Settings\Security Settings\Public Key.

7

Import the certificate.

Option

Description

Root certificate

a

Right-click Trusted Root Certification Authorities and select Import.

b

Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.

Intermediate certificate

a

Right-click Intermediate Certification Authorities and select Import.

b

Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.cer) and click OK.

8

Close the Group Policy window.

All of the systems in the domain now have a copy of the root certificate in their Trusted Root stores and, if appropriate, a copy of the intermediate certificate in their Intermediate Certification Authority stores.