If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
Procedure
- On the Active Directory server, navigate to the Group Policy Management plug-in.
| AD Version | Navigation Path |
| Windows 2003 | - Select Start > All Programs > Administrative Tools > Active Directory Users and Computers.
- Right-click your domain and click Properties.
- On the Group Policy tab, click Open to open the Group Policy Management plug-in.
- Right-click Default Domain Policy, and click Edit.
|
| Windows 2008 | - Select Start > Administrative Tools > Group Policy Management.
- Expand your domain, right-click Default Domain Policy, and click Edit.
|
| Windows 2012R2 | - Select Start > Administrative Tools > Group Policy Management.
- Expand your domain, right-click Default Domain Policy, and click Edit.
|
| Windows 2016 | - Select Start > Administrative Tools > Group Policy Management.
- Expand your domain, right-click Default Domain Policy, and click Edit.
|
- Expand the Computer Configuration section and open Windows Settings\Security Settings\Public Key.
- Right-click Trusted Root Certification Authorities and select Import.
- Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.
- Close the Group Policy window.
Results
All of the systems in the domain now have a copy of the root certificate in their trusted root store.
FAQs
Expand the Computer Configuration section and open Windows Settings\Security Settings\Public Key. Right-click Trusted Root Certification Authorities and select Import. Follow the prompts in the wizard to import the root certificate (for example, rootCA. cer ) and click OK.
How do I find my trusted root certificate? ›
Viewing Certificates
- Click Tools > Internet Options > Content.
- Click Certificates and then the Trusted Root Certification Authorities tab on the far right. ...
- Double-click any one of the certificates shown. ...
- Double-click one of the certificates. ...
- Click the Certification Path tab. ...
- Click OK to close the certificate.
For Windows:
- Double-click on your CA certificate, a window opens, and select Install Certificate.
- Select Current user Store Location.
- Select the Trusted Root Certification Authorities under the Certificate Store.
- Select Yes on the security warning tab.
Right-click the GPO, then select Edit. In the console tree, open Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, right-click the store you want to import the certificate to, such as Trusted Root Certification Authorities, then select Import.
Why is my root certificate not trusted? ›
However, if the computer is not joined to the domain or if you use an alternative certificate chain, you may experience this issue. If the appropriate certificate is not present in the Trusted Root Certification Authorities store, you must import a certificate for the appropriate certification authority.
How do I make my root certificate trusted? ›
Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. Select Trusted Root Certification Authorities, right click, and select Import to open the Certificate Import Wizard. Click Next on the Welcome screen.
How do I know which root certificate I have? ›
How to Know the Difference Between the Root Certificate and an Intermediate Certificate
- The certificate path contains just one level.
- The issued to and issued by values point to the same CA.
- The certificate has a valid lifespan of more than two years.
Expand the Computer Configuration section and open Windows Settings\Security Settings\Public Key. Right-click Trusted Root Certification Authorities and select Import. Follow the prompts in the wizard to import the root certificate (for example, rootCA. cer ) and click OK.
What are trusted root certificate authorities? ›
A Root CA is just that – the “root” of the chain of trust. It is a certificate authority that can be used to issue other certificates, which means it is imperative that Root CAs are secure and trusted. If the Root CA were to be compromised, the trust of the chain would be gone, leaving the system obsolete.
How do I get a trusted certificate? ›
Obtain a trusted certificate from a well-known third-party certificate authority (CA), or you can generate a self-signed certificate locally. Using a well-known trusted CA like Verisign can save you time and resources because many server, client, and user applications are pre-configured to recognize them.
Go to Settings > General > About > Certificate Trust Settings. Turn on Enable Full Trust for Root Certificates.
How do I add a root certificate to Truststore? ›
Installing a Root Certificate in the Trust Store
- Import the root certificate. Execute the command JRE_HOME/bin/keytool -import -trustcacerts -alias certAlias -file certFile -keystore trustStoreFile. ...
- Confirm that you trust the certificate. ...
- Identify the trust store to the client application.
Install root certificates on Windows
- Click Continue to the website.
- In the address bar, right-click the certificate and select View Certificates.
- On the certificate dialog, click the Details tab.
- Click Copy to file.
- In the wizard, select Base-64 encoded binary X. ...
- Click the Windows Start button.
In the MMC, under the Certificates (Local Computer) tree, expand the Trusted Root Certification Authorities folder. Click on Certificates under the Trusted Root Certification Authorities . This will display all the certificates that are currently trusted by the computer.
How do I resolve a certificate that is not trusted? ›
How to Fix SSL Certificate Error
- Diagnose the problem with an online tool.
- Install an intermediate certificate on your web server.
- Generate a new Certificate Signing Request.
- Upgrade to a dedicated IP address.
- Get a wildcard SSL certificate.
- Change all URLS to HTTPS.
- Renew your SSL certificate.
On the machine without internet access...
- Click Start>Run. ...
- Type: certmgr.msc - this opens the certificate manager.
- Right click on the item "Trusted Root Certification Authorities.
- Select All Tasks>Import.
- Click Next.
- Click "Browse", change the file type in the lower right selection drop-down to "All Files"
The certificate can be in the \Microsoft\SystemCertificates\root\Certificates\ or Microsoft\SystemCertificates\AuthRoot\Certificates\ location.
How to view trusted root Certification Authorities in Chrome? ›
Chrome. Open the Certificate Settings via Settings -> Privacy and Security -> Manager Certificates - see figure below. Select Trusted Root Certification Authorities and Import - see figure below.
Where is the CA root certificate stored? ›
The CA trust store (as generated by update-ca-certificates ) is available at the following locations: As a single file (PEM bundle) in /etc/ssl/certs/ca-certificates.crt. As an OpenSSL-compatible certificate directory in /etc/ssl/certs.
Where do trusted root certificates come from? ›
The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the best-known root certificates are distributed in operating systems by their manufacturers.
