How to Push Root CA Certificate to Client Machine Automatically

I'm testing the Certificate Authority in my lab environment (running Windows 2008 domain).

One thing I found is that right after I installed a new Certificate Authority (enterprise root CA) in the environment, the CA root certificate was pushed to all client machines and added under the "Trusted Root Certification Authorities" store.

However, after the original root certificate expired, and I renewed the root certificate in the CA already, but the new CA root certificate never got pushed to client machines.

I have checked the following two group policies items, but both of them were configured to "Enabled" already.  I would like to find out which configuration controls when a CA root certificate got pushed to client machines.  Please assist! TIA!!

computer configuration->policies->windows settings->security settings->public key policies->certificate services client-auto-enrollment
user configuration->policies->windows settings->security settings->public key policies->certificate services client auto-enrollment
Jimmy VadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Neither one of those

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, type the path to the appropriate certificate files (for example, \\fs1\c$\fs1.cer), and then click Next.
On the Certificate Store page, click Place all certificates in the following store, and then click Next.
On the Completing the Certificate Import Wizard page, verify that the information you provided ]is accurate, and then click Finish.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jimmy VadAuthor Commented:
Hi David,

Thanks for your reply.  I understand that I can push the renewed CA root certificate via group policy like the way you mentioned above.

I just thought there would be another way to propagate this root certificate within the domain. The reason being is that all client machines in my test environment actually did receive the CA root certificate after I installed CA role on one of the DC, while I never explicitly added that CA certificate to the group policy to push it out....   that's why I thought there's some other mechanism which I'm not aware of being used to push the certificate.

David Johnson, CD, MVPOwnerCommented:
I run a 5 tier CA so I have to do it manually via group policy
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.