• Status: Solved
  • Priority: High
  • Security: Private
  • Views: 110
  • Last Modified:

How to Push Root CA Certificate to Client Machine Automatically

I'm testing the Certificate Authority in my lab environment (running Windows 2008 domain).

One thing I found is that right after I installed a new Certificate Authority (enterprise root CA) in the environment, the CA root certificate was pushed to all client machines and added under the "Trusted Root Certification Authorities" store.

However, after the original root certificate expired, and I renewed the root certificate in the CA already, but the new CA root certificate never got pushed to client machines.

I have checked the following two group policies items, but both of them were configured to "Enabled" already.  I would like to find out which configuration controls when a CA root certificate got pushed to client machines.  Please assist! TIA!!

computer configuration->policies->windows settings->security settings->public key policies->certificate services client-auto-enrollment
user configuration->policies->windows settings->security settings->public key policies->certificate services client auto-enrollment
Jimmy Vad
Jimmy Vad
  • 2
1 Solution
David Johnson, CD, MVPOwnerCommented:
Neither one of those

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, type the path to the appropriate certificate files (for example, \\fs1\c$\fs1.cer), and then click Next.
On the Certificate Store page, click Place all certificates in the following store, and then click Next.
On the Completing the Certificate Import Wizard page, verify that the information you provided ]is accurate, and then click Finish.
Jimmy VadAuthor Commented:
Hi David,

Thanks for your reply.  I understand that I can push the renewed CA root certificate via group policy like the way you mentioned above.

I just thought there would be another way to propagate this root certificate within the domain. The reason being is that all client machines in my test environment actually did receive the CA root certificate after I installed CA role on one of the DC, while I never explicitly added that CA certificate to the group policy to push it out....   that's why I thought there's some other mechanism which I'm not aware of being used to push the certificate.

David Johnson, CD, MVPOwnerCommented:
I run a 5 tier CA so I have to do it manually via group policy
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now