Document toolboxDocument toolbox

Manually integrate third party CA in Active Directory

This article describes how to manually integrate a third party certificate authority (CA) in Active Directory, that is, any certificate authority other than Microsoft Active Directory Certificate Services (ADCS).

In the manual procedure described here, CA certificates are imported manually into Active Directory, while in an automatic procedure, certificates are pushed by LDAP or LDAPS.

The following prerequisites apply:

  • The CA certificates must be available. Usually it is two certificates: root CA certificate and sub-CA certificate.

Step-by-step instruction

Publish CA to AD

  1. Log on to a Domain Controller and copy the two Root CA and SubCA certificates to the desktop. 

  2. Start a command prompt with Administrator rights.



Publish the root CA certificate into the Certificate Authorities container:

  1. Navigate to the following location:

    CN=Certificate Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local



  2. Publish the root CA with the certutil command:

    certutil -f -dspublish <cert file name> RootCA

    Example:

    certutil -f -dspublish rootca.cer RootCA





Publish the certificates for both the root CA and the intermediate CA or sub-CA or Issuing CA into the NTAuthCertificates attribute:

  1. Navigate to the following location:



  2. For each CA (root CA, intermediate CA, sub CA, issuing CA) publish the certificate with the certutil command:

    Example:





Publish the certificates for the intermediate CA or sub-CA or issuing CA into the AIA container:

  1. Navigate to the following location:



  2. For each intermediate or sub-CA, publish the certificate with the certutil command:

    Example:



Verify CA certificates

To verify the CA certificates, you can use either ADSIEDIT or MMC / Enterprise PKI snap-in.





Related information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions