You must export a user's smart credential certificate authority to their Windows Domain if a user wants to use their smart credential for Windows Smart Card Logon (SCLO). The CA certificates exported from an Identity as a Service account are contained in a zip file. The zip file contains the following files:
You can export the following CAs from Identity as a Service:
● Restricted
CA for Shared MSO CA
● Normal
Root CA for dedicated MSO CA
See the Entrust Certificate Agent for Windows Smart Card Logon Integration Guide for more information about configuring a CA for SCLO.
Export the Entrust CA trust chain
1. Click 
>
Resources
> Certificate Authorities.
The Certificate
Authorities page appears.
2. Click
for the CA you want to export.
The Export CA Trust Chain dialog box appears.
3. Select the type of CA to export.
● Select Restricted Trust Root CA for MSO Shared CAs if the CA is also being used by other users.
● Select Normal Root CA for Dedicated CAs if the CA is dedicated to your account.
4. Optional: Select Replace Existing CA to force Identity as a Service to replace the existing Identity as a Service CA authority with a newly-generated one.
This option is available only if you select Restricted Trust Root CA for MSO Shared CA as the CA.
WARNING: Replacing your existing CA causes any previous certificates to be deleted. Any CA certificates previously loaded into the Windows Domain must be replaced with the newly-generated one if the existing CA is replaced on Identity as a Service.
5. Click Export to download the CA zip file.
Tip: If the certificate trust chain fails to download, check the Gateway password agent logs for errors. If there is nothing significant, check the Microsoft CA Proxy log.
