Generate the issuing CA certificate

To generate the third party issuing the CA to the Group Policy object and the NTAuth store in AD:

Log into the Root Certification Authority server with an Administrator account.
Select Start > Run >, enter Cmd, and choose Enter.
To export the Root Certification Authority server to a new file name called ca_name.cer, enter:


certutil -ca.cert ca_name.cer

The following figure shows the certificate successfully installed into the NTAuth store.

Use certutil to install the issuing CA certificate into NTAuth store

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Update default domain policy with third party root CAs

Update the default domain policy with the issuing party CA