Export a Microsoft CA trust chain

You must export a user's smart credential certificate authority to their Windows Domain if a user wants to use their smart credential for Windows Smart Card Logon (SCLO). The CA certificates exported from an Identity as a Service account are contained in a zip file. The zip file contains the following files:

●        trustedca.cerThe root CA that should be loaded into the Windows Trusted CA of the user using their mobile Smart Credential to achieve smart card logon.  

●       intermediatecaX.caThe intermediate certificates that should be loaded into the Windows Intermediate CA store of the appropriate users.

Note: The Microsoft CA might only have a single root CA. In this case, intermediatecaX.ca will not be present.

See the Entrust Certificate Agent for Windows Smart Card Logon Integration Guide for more information about configuring a CA for SCLO.

Export the Microsoft CA trust chain

1.      Click > Resources > Certificate Authorities. The Certificate Authorities page appears.

2.      Click for the Microsoft CA you want to export. The Export CA Trust Chain dialog box appears.

3.      Click Export to download the CA zip file.

Tip: If the certificate trust chain fails to download, check the Gateway password agent logs for errors and the Microsoft CA Proxy log.