none
How to publish an offline root certificate to AD.

    Question

  • I am establishing a PKI consisting of an offline root CA, and an eterprise subordinate issuing CA, both running W2K8 R2 EE.

    I have exported my root CA cert and run the following command to publish it in AD:

    certutil –dspublish –f <cert filename> -NTAuthCA

    Certutil says that the command completed successfully.

    My questions:

    • Is that all I need to do to make the root ca cert visible to AD member computers that need to locate this cert when following the trust chain?
    • What can I look at in AD to see that the command worked properly? (I have looked at the Certification Authorites container in the configuration partition, but can't see any evidence of the cert. The certutil command also told me that the enterprise cert list was empty.)

    Regards,

    Confused.

    Tuesday, February 15, 2011 2:56 AM

Answers

  • You have done the incorrect command

    1) For the root CA, run certutil -dspublish -f <certfilename> RootCA

    2) Only issuing CAs that issue authentication certificates are placed in the nTAuth store (this is done automatically when you install an enterprise subordinate issuing CA).

    3) You can view the actual containers by running pkiview.msc on the subordinate issuing CA. You can right-click the console root and view the AD containers. One tab per container (and you can delete the incorrectly published root CA cert)

     

    Brian

    • Proposed as answer by Vadims PodansMVP Tuesday, February 15, 2011 7:14 AM
    • Marked as answer by Wake-Up-Jeff Wednesday, February 16, 2011 10:25 PM
    Tuesday, February 15, 2011 4:23 AM

All replies

  • You have done the incorrect command

    1) For the root CA, run certutil -dspublish -f <certfilename> RootCA

    2) Only issuing CAs that issue authentication certificates are placed in the nTAuth store (this is done automatically when you install an enterprise subordinate issuing CA).

    3) You can view the actual containers by running pkiview.msc on the subordinate issuing CA. You can right-click the console root and view the AD containers. One tab per container (and you can delete the incorrectly published root CA cert)

     

    Brian

    • Proposed as answer by Vadims PodansMVP Tuesday, February 15, 2011 7:14 AM
    • Marked as answer by Wake-Up-Jeff Wednesday, February 16, 2011 10:25 PM
    Tuesday, February 15, 2011 4:23 AM
  • Thanks Brian.

    I am now able to see the root CA certificate, both directly in the CN=AIA container, and in the pkiview console. It also shows up using certutil -dcinfo.

    Thanks again.

     

    Wednesday, February 16, 2011 10:20 PM
  • Hi, I've done the same (certutil -dspublish -f <certfilename> RootCA) to add my offline root CA to my 3 AD's I have trusting the one root CA for the entire organisation. This now appears in AD sites and services\Services\Public Key services\Certification Authorities. The cert chain seems to work just fine.

    Does this mean that I don't need to add it to group policy Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities??

    Is this policy location only used if one would want to make only a subset of a directory (for example one OU) trust a certain CA as a root CA? Otherwise I can't see it's purpose

    Also, can non Microsoft CA's be added to AD using certutil -dspublish -f <certfilename> RootCA?

    Thanks

    Friday, July 8, 2011 1:46 AM