Configure the Domain Controller to trust the issuing CA

You need to configure the domain controller to trust the Certificate Authority that issues the smart credential.

note

If the Identity as a Service Certificate Authority resides on the Domain Controller, then this step is not required.

To configure the domain controller to trust the issuing CA:

1. Export the CA trust chain:
   • For an Entrust Managed PKI Certificate Authority, see Export an Entrust Managed PKI CA trust chain.
   • Microsoft Certificate Authorities not tied to the domain controller, see Export a Microsoft CA trust chain.
   • For PKIaaS CA issued smart credentials, see Configure domain controller certificates.
2. Run the following commands on the domain controller to trust the CA

certutil -f -dspublish trustedca.cer RootCA

certutil -f -dspublish intermediateca1.cer NTAuthCA

certutil -f -dspublish intermediateca1.cer SubCA

certutil -f -dspublish intermediateca2.cer NTAuthCA

certutil -f -dspublish intermediateca2.cer SubCA