Import the issuing CA certificate into the Enterprise NTAuth store

In a command prompt, type the following command, and then press ENTER:


 certutil -dspublish -f ca_name.cer NTAuthCA

The following figure shows the successful import of the certificate into the NTAuth store.

A screenshot showing the import of the issuing CA certificate into the Enterprise NTAuth store

Import the issuing CA certificate into Enterprise NTAuth store

The contents of the NTAuth store are cached in the following registry location:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

This registry key is automatically updated to reflect the certificates that are published to the NTAuth store in the AD configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment runs. In certain scenarios, such as AD replication latency or when the “Do not enroll certificates automatically” policy setting is enabled, the registry is not updated. In these scenarios, you can run the following command manually to insert the certificate into the registry location:


certutil -enterprise -addstore NTAuth issuing_ca_name.cer

The following figure shows the successful insert of the certificate into the registry location.

A screenshot showing the import of the issuing CA certificate into Enterprise NTAuth store.

Import the issuing CA certificate into Enterprise NTAuth store

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Update the default domain policy with the issuing party CA

Domain controller certificate