If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
- On the Active Directory server, navigate to the Group Policy Management plug-in.
Right-click your domain and click Properties.
On the Group Policy tab, click Open to open the Group Policy Management plug-in.
Right-click Default Domain Policy, and click Edit.
Expand your domain, right-click Default Domain Policy, and click Edit.
- Expand the Computer Configuration section and open Windows Settings\Security Settings\Public Key.
- Right-click Trusted Root Certification Authorities and select Import.
- Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.
- Close the Group Policy window.
All of the systems in the domain now have a copy of the root certificate in their trusted root store.
What to do next
If an intermediate certification authority (CA) issues your smart card login or domain controller certificates, add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory. See Add an Intermediate Certificate to Intermediate Certification Authorities.