Publish the Root and Issuing CA Certificates

Updated on 05 May 2023
2 Minutes to read

Print
Share
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

The Axiad ID Cloud environment includes a Public Key Infrastructure. As part of the creation of the environment a root CA certificate and an issuing CA certificate are generated. These files typically are named in the format:

<CUSTOMER>_Cloud_PKI_Root_CA.crt
<CUSTOMER>_Cloud_PKI_Issuing_CA_Users.crt

WARNING

These two files must be published in your Microsoft Active Directory so every machine joined to the domain will trust them. This is a requirement for PKI login.

The easiest way is to publish the certificates in the suitable stores:

AIA: Contains CA certificates that can be retrieved by clients using the authority information access (AIA) certificate extension to build a valid certificate chain and to retrieve any cross-certificates issued by the CA. Certificates published to this container will be published into the Intermediate Certification Authorities store on domain joined computers.
Certification Authorities: This container is used to store trusted root certificates. This container may contain entries of certificateAuthority type. CA certificates are written to CACertificate attribute. All certificates from this container are propagated to each client as a part of group policy processing to client’s Trusted Root Certification Authorities container.
NTAuthCertificates: This entry is used to store certificates for CAs that are eligible to issue smart card logon certificates. During smart card logon, domain controller checks whether issuer is presented in the NTAuthCertificates entry. If it doesn’t, the logon attempt is denied immediately. All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.

The following screenshot shows the Active Directory stores where the Axiad ID Cloud certificates are published:

ad_stores

Commands to Publish Root and Issuing CA Certificates

The publication is performed via the three commands below. The configuration is then replicated between the Domain Controllers and then to every machine on the domain.

NOTE

The commands below must be run with an Enterprise Admin account on the domain so the certificates can be pushed to the correct store. They do not need to be run from a Domain Controller.

WARNING

If computer auto-enrollment is disabled, the CA certs will not publish. Open the Group Policy Management Editor and ensure that Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies >Certificates Services Client – Auto-Enrollment policy is set to Not configured or Enabled.
publish_warning

If desired, this GPO may be disabled once the CA certificates have been published.

certutil -f -dspublish <CUSTOMER>_Cloud_PKI_Root_CA.crt

Output:

certutil -f -dspublish _Cloud_PKI_Issuing_CA_Users.crt SubCA

Output:

```
certutil -f -dspublish _Cloud_PKI_Issuing_CA_Users.crt NTAuthCA
```
Output:
Once the certificates are published, you must wait for the replication to happen between DC’s and also with the various machines joined to the domain. You may force the update with the command below.
NOTE
The command must run as a local administrator.
```
gpupdate /force
```
Output:

Commands to Verify Publication

It is important to verify that the publication of the certificates performed in the previous section has been successful. The following commands display the certificates in every store. The best way to validate that is to run the following set of commands to open a pop-up that lists what is present in each corresponding store. You may have to click "More choices" to display the full list. verify