Import third-party certification authorities (CAs) into Enterprise NTAuth store - Windows Server (2024)

Table of Contents
In this article More information Method 2 - Import a certificate by using Certutil.exe FAQs
  • Article

There are two methods you can use to import the certificates of third-party CAs into the Enterprise NTAuth store. This process is required if you're using a third-party CA to issue smart card logon or domain controller certificates. By publishing the CA certificate to the Enterprise NTAuth store, the Administrator indicates that the CA is trusted to issue certificates of these types. Windows CAs automatically publish their CA certificates to this store.

Applies to: Windows Server 2016, Windows Server 2012 R2
Original KB number: 295663

More information

The NTAuth store is an Active Directory directory service object that is located in the Configuration container of the forest. The Lightweight Directory Access Protocol (LDAP) distinguished name is similar to the following example:

CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=com

Certificates that are published to the NTAuth store are written to the cACertificate multiple-valued attribute. There are two supported methods to append a certificate to this attribute.

See Also
Importing wildcard/custom SSL certificate on Cisco SG300 switchWhat is a Certificate Signing Request (CSR)? Do I need one?

PKI Health Tool (PKIView) is an MMC snap-in component. It displays the status of one or more Microsoft Windows CAs that comprise a PKI. It's available as part of the Windows Server 2003 Resource Kit Tools.

PKIView gathers information about the CA certificates and certificate revocation lists (CRLs) from each CA in the enterprise. Then it validates the certificates and CRLs to ensure that they're working correctly. If they aren't working correctly, or they're about to fail, PKIView provides a detailed warning or some error information.

PKIView displays the status of Windows Server 2003 CAs that are installed in an Active Directory forest. You can use PKIView to discover all PKI components, including subordinate and root CAs that are associated with an enterprise CA. The tool can also manage important PKI containers, such as root CA trust and NTAuth stores, that are also contained in the configuration partition of an Active Directory forest. This article discusses this latter functionality. For more information about PKIView, see the Microsoft Windows Server 2003 Resource Kit Tools documentation.

Note

You can use PKIView to manage both Windows 2000 CAs and Windows Server 2003 CAs. To install the Windows Server 2003 Resource Kit Tools, your computer must be running Windows XP or later.

To import a CA certificate into the Enterprise NTAuth store, follow these steps:

  1. Export the certificate of the CA to a .cer file. The following file formats are supported:

    • DER encoded binary X.509 (.cer)
    • Base-64 encoded X.509 (.cer)

  2. Install the Windows Server 2003 Resource Kit Tools. The tools package requires Windows XP or later.

  3. Start Microsoft Management Console (Mmc.exe), and then add the PKI Health snap-in:

    1. On the Console menu, select Add/Remove Snap-in.
    2. Select the Standalone tab, and then select the Add button.
    3. In the list of snap-ins, select Enterprise PKI.
    4. Select Add, and then select Close.
    5. Select OK.

  4. Right-click Enterprise PKI, and then select Manage AD Containers.

  5. Select the NTAuthCertificates tab, and then select Add.

  6. On the File menu, select Open.

  7. Locate and then select the CA certificate, and then select OK to complete the import.

Method 2 - Import a certificate by using Certutil.exe

Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack.

To import a CA certificate into the Enterprise NTAuth store, follow these steps:

  1. Export the certificate of the CA to a .cer file. The following file formats are supported:

    • DER encoded binary X.509 (.cer)
    • Base-64 encoded X.509 (.cer)

  2. At a command prompt, type the following command, and then press ENTER:

    certutil -dspublish -f filename NTAuthCA

The contents of the NTAuth store are cached in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that's responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry isn't updated. In such scenarios, run the following command manually to insert the certificate into the registry location:

certutil -enterprise -addstore NTAuth CA_CertFilename.cer
Import third-party certification authorities (CAs) into Enterprise NTAuth store - Windows Server (2024)

FAQs

How to import CA certificate in Windows Server? ›

In the left pane of the console, double-click Certificates (Local Computer). Right-click Personal, point to All Tasks, and then select Import. On the Welcome to the Certificate Import Wizard page, select Next. On the File to Import page, select Browse, locate your certificate file, and then select Next.

Read On
How do you install a server certificate signed by a trusted third party certificate authority? ›

Select the New Web Server Certificate
  1. Open Policy Manager.
  2. Select Setup > Authentication > Web Server Certificate.
  3. Select Third Party Certificate.
  4. From the drop-down list, select the new imported certificate, then click OK.

Discover More Details
How to add certificates to the Trusted Root Certification Authorities store for a local Computer? ›

Under Available snap-ins, click Certificates,and then click Add. 4. Under This snap-in will always manage certificates for, click Computer account, and then click Next.

Continue Reading
How to install a server authentication certificate from a Certification Authority? ›

Adding server role and installing certificate
  1. Select Server Manager and click Add Role.
  2. Select Certification Authority under Role Services and click Next.
  3. Select Enterprise under Setup Type and click Next.
  4. Select Root CA under CA Type and click Next.
  5. Select SHA256 and click Next.
Jan 24, 2024

See Details
How do I import a certificate into the Windows certificate store? ›

Procedure
  1. From the Windows Start menu, click Start > Run and enter mmc to open the Microsoft Management Console.
  2. Click File > Add/Remove Snap-in from the Microsoft Management Console.
  3. Click Add.
  4. Select Certificates and click Add.
  5. Select My User Account and click Finish.

Find Out More
Where is CA certificate stored in Windows Server? ›

The certificate store is located in the registry under HKEY_LOCAL_MACHINE root. Current user certificate store: This certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

Tell Me More
How do I make my CA root certificate trusted? ›

Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. Select Trusted Root Certification Authorities, right click, and select Import to open the Certificate Import Wizard.

Show Me More
What are third-party root certification authorities? ›

The Third-Party Root Certification Authorities is a subset of Trusted Root Certification Authorities. The Trusted Root are all the Microsoft certificates and the certificates for your organization plus the certificates in the Third-party Root.

Explore More
How to install third-party SSL certificate? ›

How to install a third-party SSL certificate with cPanel
  1. Step 1: Generate a private key and CSR. ...
  2. Step 2: Install a private key. ...
  3. Step 3: Install the certificate and activate SSL.

Continue Reading
How do I find trusted root certification authorities in Windows? ›

In the MMC, under the Certificates (Local Computer) tree, expand the Trusted Root Certification Authorities folder. Click on Certificates under the Trusted Root Certification Authorities . This will display all the certificates that are currently trusted by the computer.

Show Me More

How do I import certificates to trusted root certification authorities GPO? ›

Right-click the GPO, then select Edit. In the console tree, open Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, right-click the store you want to import the certificate to, such as Trusted Root Certification Authorities, then select Import.

Read The Full Story
How do I install Microsoft root certificate authority? ›

Install root certificates on Windows
  1. Click Continue to the website.
  2. In the address bar, right-click the certificate and select View Certificates.
  3. On the certificate dialog, click the Details tab.
  4. Click Copy to file.
  5. In the wizard, select Base-64 encoded binary X. ...
  6. Click the Windows Start button.

See Details
How do I import a certificate into a server? ›

To import a server authentication certificate to the Default Web Site
  1. On the Start screen, typeInternet Information Services (IIS) Manager, and then press ENTER.
  2. In the console tree, click ComputerName.
  3. In the center pane, double-click Server Certificates.
  4. In the Actions pane, click Import.
Feb 13, 2024

Get More Info Here
How do I add a Certificate Authority? ›

The instructions for adding a CA to a client vary according to the operating system or browser used.
  1. Create a Certificate Authority.
  2. Generate new key and certificate request.
  3. Self-sign the request to generate a CA certificate.
  4. Create a server certificate and use the CA to sign it.
  5. Allow clients to trust the root CA.

Continue Reading
How to export a trusted root certificate? ›

Tips
  1. Log into the Root Certification Authority server with Administrator Account.
  2. Go to Start > Run. Enter the text Cmd and then select Enter.
  3. To export the Root Certification Authority server to a new file name ca_name.cer, type: certutil -ca.cert ca_name.cer.
Feb 26, 2024

View More
How do I import a CA certificate into keystore? ›

Procedure
  1. Locate the keystore location in the JRE. Typically this keystore is at JAVA_HOME\jre\lib\security\cacerts. ...
  2. Run the standard keytool to import the certificate, from JAVA_HOME\jre\lib\security. ...
  3. When prompted Enter keystore password:, enter "changeit" . ...
  4. When prompted Trust this certificate? [no]:, enter "yes".

View Details
How to install custom CA certificate Windows? ›

Installing Self-Signed CA Certificate in Windows
  1. Step 1: Open MMC on the machine that you are getting the warning. ...
  2. Step 2: Click on File → Add/Remove Snap-in… ...
  3. Step 3: Click on Certificates → Add> ...
  4. Step 4: Click on User Account → Finish. ...
  5. Step 5: Expand Certificates → Trusted Root Certification Authority → Certificates.
Jan 28, 2011

See More
How to install CA certificate? ›

Install CA Certificates
  1. Rename the ca. cert. pem file to ca. cert. cer.
  2. Double-click ca. cert. cer and select Install Certificate.
  3. Select Local Machine > Trusted Root Certification Authorities to install the certificate to the Windows store. A message appears confirming the import was successful.

Learn More
How do I import a root CA certificate? ›

See Backing up your internal Root CA for details.
  1. Go to Configure > SSL > Internal Root CA > Import Root CA.
  2. Browse to select the certificate. The certificate must be in X. ...
  3. Browse to select the private key. It must correspond to the certificate you selected in Step 2. ...
  4. Enter and confirm the passphrase.

Discover More Details
Top Articles
What Is a Qualified Institutional Buyer (QIB), and Who Qualifies?
Bull Call Spread Strategy: Definition, How to Trade it
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
Things To Do In Atlanta Tomorrow Night
Non Sequitur
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Otter Bustr
Selly Medaline
Latest Posts
Transfer Times | Capital One Help Center
Food Poisoning or Stomach Flu? How to Tell the Difference | UNC Health Talk
Article information

Author: Melvina Ondricka

Last Updated:

Views: 5902

Rating: 4.8 / 5 (48 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.