If you use an intermediate certificate authority on sfo01.rainpole.local as certificate signer, CertGenVVD utility only retrieves the intermediate Base 64 certificate from the Microsoft CA. You must create a certificate chain file that also includes the root CA certificate.


  1. Log in to the site for certificate request on the sfo01.rainpole.local AD server.
    1. Open a Web browser and go to https://dc01sfo.sfo01.rainpole.local/certsrv.
    2. Log in using the following credentials.



      User name




  2. Download and export the certificates of the intermediate and root CAs.
    1. Click Download a CA certificate, certificate chain, or CRL.
    2. Select Current[sfo01-DC01SFO-CA in the CA certificate list, select Base 64 and click Download CA certificate chain.
    3. Save the file as chainroot.p7b.
    4. Open chainroot.p7b.

      The certmgr utility appears.

    5. Navigate to Certificates folder
    6. Right-click sfo01-DC01SfO-CA and select All Tasks > Export.

      The Certificate Export Wizard appears.

    7. On the Welcome page, click Next.
    8. Select Base-64 encoded X.509 (.CER) and click Next
    9. On the File to Export page, browse to the C:\CertGenVVD-version\SignedByMSCACerts\sfo01-intermediate-ca.cer, click Next and click Finish.
    10. Click Okay when you see a message about successful export.
    11. In the certmgr utility, right click rainpole-DC01RPL-CA and select All Tasks > Export and repeat the steps to save the rainpole.local root CA certificate as C:\CertGenVVD-version\SignedByMSCACerts\rainpole-root-ca.cer.
  3. Create the chainRoot64.cer file that includes both root and intermediate CA certificates.
    1. Open rainpole-root-ca.cer in a text editor.
    2. Copy the entire content and close the file.
    3. Open sfo01-intermediate-ca.cer in a text editor, press Enter to insert a new line at the end of the file, paste the rainpole-root-ca.cer content.
    4. Save the file as chainRoot64.cer to the C:\CertGenVVD-version\SignedByMSCACerts\.
    5. Close all files.
    6. Verify that the new file C:\CertGenVVD-version\SignedByMSCACerts\chainRoot64.cer exists and contains the content of both sfo01-intermediate-ca.cer and rainpole-root-ca.cer.
  4. Refresh all MSCA-signed certificates with new intermediate and root CAs.
    1. Open the C:\CertGenVVD-version folder.
    2. Make a copy of the SignedByMSCACerts folder and name is as SignedByMSCACerts-backup.
    3. Rename the SignedByMSCACerts folder to CSRCerts.
    4. Open the C:\CSRCerts\RootCA\ folder.
    5. Delete the Root64.cer file
    6. Create a copy of chainRoot64.cer as Root64.cer.
    7. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
    8. Run the following command to regenerate all certificate files and packages using the new Root64.cer.
      .\CertGenVVD-version.ps1 -CSR -extra
    9. Rename the CSRCerts folder back to SignedByMSCACerts.