If you use an intermediate certification authority (CA) to issue smart card login or domain controller certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory.

Procedure

  1. On the Active Directory server, navigate to the Group Policy Management plug-in.
    AD Version Navigation Path
    Windows 2003
    1. Select Start > All Programs > Administrative Tools > Active Directory Users and Computers.
    2. Right-click your domain and click Properties.
    3. On the Group Policy tab, click Open to open the Group Policy Management plug-in.
    4. Right-click Default Domain Policy, and click Edit.
    Windows 2008
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
    Windows 2012R2
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
    Windows 2016
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
  2. Expand the Computer Configuration section and open the policy for Windows Settings\Security Settings\Public Key.
  3. Right-click Intermediate Certification Authorities and select Import.
  4. Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.cer) and click OK.
  5. Close the Group Policy window.

Results

All of the systems in the domain now have a copy of the intermediate certificate in their intermediate certification authority store.