How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

Article translations Article translations
Article ID: 295663 - View products that this article applies to.
This article was previously published under Q295663
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes two methods you can use to import the certificates of third-party certification authorities (CAs) into the Enterprise NTAuth store. This process is required if you are using a third-party CA to issue smart card logon or domain controller certificates. By publishing the CA certificate to the Enterprise NTAuth store, the Administrator indicates that the CA is trusted to issue certificates of these types. Windows CAs automatically publish their CA certificates to this store.

MORE INFORMATION

The NTAuth store is an Active Directory directory service object that is located in the Configuration container of the forest. The Lightweight Directory Access Protocol (LDAP) distinguished name is similar to the following:
CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=com
Certificates that are published to the NTAuth store are written to the cACertificate multiple-valued attribute. There are two supported methods to append a certificate to this attribute.

Method 1: Import a certificate by using the PKI Health Tool

PKI Health Tool (PKIView) is an MMC snap-in component that displays the status of one or more Microsoft Windows certification authorities that comprise a public key infrastructure (PKI). It is available as part of the Windows Server 2003 Resource Kit Tools. To download these tools, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
PKIView gathers information about the CA certificates and certificate revocation lists (CRLs) from each CA in the enterprise. Then, PKIView validates the certificates and CRLs to ensure that they are working correctly. If they are not working correctly or if they are about to fail, PKIView provides a detailed warning or some error information.

PKIView displays the status of Windows Server 2003 certification authorities that are installed in an Active Directory forest. You can use PKIView to discover all PKI components, including subordinate and root CAs that are associated with an enterprise CA. The tool can also manage important PKI containers, such as root CA trust and NTAuth stores, that are also contained in the configuration partition of an Active Directory forest. This article discusses this latter functionality. For more information about the PKIView, see the Microsoft Windows Server 2003 Resource Kit Tools documentation.

Note You can use PKIView to manage both Windows 2000 CAs and Windows Server 2003 CAs. To install the Windows Server 2003 Resource Kit Tools, your computer must be running Windows XP or later.

To import a CA certificate into the Enterprise NTAuth store, follow these steps:
  1. Export the certificate of the CA to a .cer file. The following file formats are supported:
    • DER encoded binary X.509 (.cer)
    • Base-64 encoded X.509 (.cer)
  2. Install the Windows Server 2003 Resource Kit Tools. The tools package requires Windows XP or later.
  3. Start Microsoft Management Console (Mmc.exe), and then add the PKI Health snap-in:
    1. On the Console menu, click Add/Remove Snap-in.
    2. Click the Standalone tab, and then click the Add button.
    3. In the list of snap-ins, click Enterprise PKI.
    4. Click Add, and then click Close.
    5. Click OK.
  4. Right-click Enterprise PKI, and then click Manage AD Containers.
  5. Click the NTAuthCertificates tab, and then click Add.
  6. On the File menu, click Open.
  7. Locate and then click the CA certificate, and then click OK to complete the import.

Method 2: Import a certificate by using Certutil.exe

Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack. To download this tools pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
To import a CA certificate into the Enterprise NTAuth store, follow these steps:
  1. Export the certificate of the CA to a .cer file. The following file formats are supported:
    • DER encoded binary X.509 (.cer)
    • Base-64 encoded X.509 (.cer)
  2. At a command prompt, type the following command, and then press ENTER:
    certutil -dspublish -f filename NTAuthCA
The contents of the NTAuth store are cached in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer

Properties

Article ID: 295663 - Last Review: June 18, 2008 - Revision: 3.1
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
Keywords: 
kbenv kbhowtomaster KB295663

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com