If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.

Procedure

  1. On the Active Directory server, navigate to the Group Policy Management plug-in.
    AD Version Navigation Path
    Windows 2003
    1. Select Start > All Programs > Administrative Tools > Active Directory Users and Computers.
    2. Right-click your domain and click Properties.
    3. On the Group Policy tab, click Open to open the Group Policy Management plug-in.
    4. Right-click Default Domain Policy, and click Edit.
    Windows 2008
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
    Windows 2012R2
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
    Windows 2016
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
  2. Expand the Computer Configuration section and open Windows Settings\Security Settings\Public Key.
  3. Right-click Trusted Root Certification Authorities and select Import.
  4. Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.
  5. Close the Group Policy window.

Results

All of the systems in the domain now have a copy of the root certificate in their trusted root store.

What to do next

If an intermediate certification authority (CA) issues your smart card login or domain controller certificates, add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory. See Add an Intermediate Certificate to Intermediate Certification Authorities.