You must obtain the root certificate from the CA that signed the certificates on the smart cards presented by your users.

If you do not have the root certificate of the CA that signed the certificates on the smart cards presented by your users, you can export a root certificate from a CA-signed user certificate or a smart card that contains one. See Export a Root Certificate from a User Certificate.

1

Obtain the root certificate from one of the following sources.

A Microsoft IIS server running Microsoft Certificate Services. See the Microsoft TechNet Web site for information on installing Microsoft IIS, issuing certificates, and distributing certificates in your organization.

The public root certificate of a trusted CA. This is the most common source of a root certificate in environments that already have a smart card infrastructure and a standardized approach to smart card distribution and authentication.

2

Select a certificate to use for smart card authentication.

The signing chain lists a series a signing authorities. The best certificate to select is usually the intermediate authority above the user certificate.

3

Verify that the authority does not sign other certificates on the card.

Add the root certificate to a server truststore file. See Add the Root Certificate to a Server Truststore File.