Configure the Domain Controller to trust the issuing CA

You need to configure the domain controller to trust the Certificate Authority that issues the smart credential.

Note: If the Identity as a Service Certificate Authority resides on the Domain Controller, then this step is not required.

Configure the Domain Controller to trust the issuing CA

1.      Export the CA trust chain:

●       For an Entrust Managed PKI Certificate Authority, see Export an Entrust Managed PKI CA trust chain.

●       Microsoft Certificate Authorities not tied to the domain controller, see Export a Microsoft CA trust chain.

●       For PKIaaS CA issued smart credentials, see Configure domain controller certificates.

2.      Run the following commands on the domain controller to trust the CA

certutil -f -dspublish trustedca.cer RootCA

certutil -f -dspublish intermediateca1.cer NTAuthCA

certutil -f -dspublish intermediateca1.cer SubCA

certutil -f -dspublish intermediateca2.cer NTAuthCA

certutil -f -dspublish intermediateca2.cer SubCA