Skip to main content
Skip table of contents

Manually integrate third party CA in Active Directory

This article describes how to manually integrate a third party certificate authority (CA) in Active Directory, that is, any certificate authority other than Microsoft Active Directory Certificate Services (ADCS).

In the manual procedure described here, CA certificates are imported manually into Active Directory, while in an automatic procedure, certificates are pushed by LDAP or LDAPS.

Prerequisites

The following prerequisites apply:

  • The CA certificates must be available. Usually it is two certificates: root CA certificate and sub-CA certificate.

Step-by-step instruction

Publish CA to AD

Log on to Domain Controller
  1. Log on to a Domain Controller and copy the two Root CA and SubCA certificates to the desktop. 
  2. Start a command prompt with Administrator rights.
Publish root CA to Certificate Authorities container

Publish the root CA certificate into the Certificate Authorities container:

  1. Navigate to the following location:

    CODE
    CN=Certificate Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local
  2. Publish the root CA with the certutil command:

    CODE
    certutil -f -dspublish <cert file name> RootCA

    Example:

    CODE
    certutil -f -dspublish rootca.cer RootCA
Publish CA certificates to NTAuthCA attribute

Publish the certificates for both the root CA and the intermediate CA or sub-CA or Issuing CA into the NTAuthCertificates attribute:

  1. Navigate to the following location:

    CODE
    CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local
  2. For each CA (root CA, intermediate CA, sub CA, issuing CA) publish the certificate with the certutil command:

    CODE
    certutil -dspublish -f <cert file name> NTAuthCA

    Example:

    CODE
    certutil -dspublish -f rootca.cer NTAuthCA
Publish intermediate or sub-CA to AIA

Publish the certificates for the intermediate CA or sub-CA or issuing CA into the AIA container:

  1. Navigate to the following location:

    CODE
    CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local
  2. For each intermediate or sub-CA, publish the certificate with the certutil command:

    CODE
    certutil -f -dspublish <cert file name> SubCA

    Example:

    CODE
    certutil -f -dspublish subca.cer SubCA

Verify CA certificates

To verify the CA certificates, you can use either ADSIEDIT or MMC / Enterprise PKI snap-in.

Option: Verify CA certificates with ADSIEDIT

To verify the CA certificates in ADSIEDIT:

  1. Start ADSIedit.
  2. In Connection Settings, enter a Name and the Path to your domain. Select the Naming Context: Configuration.
  3. Browse down to Public Key Services.
  4. Look in CN=AIA and verify that only the SubCA certificate is there, not your RootCA.
  5. Look in CN=Certificate Authority and verify that only the RootCA certificate is there, not your SubCA.
  6. Look in CN=NTAuthCertificates and verify that your CA certificates are there.
Option: Verify CA certificates with MMC / Enterprise PKI snap-in

To verify the certificates via Microsoft Management Console (MMC), in the Enterprise PKI snap-in:

  1. Start the Microsoft Management Console (MMC).
  2. Load the snap-in Enterprise PKI.
  3. Right-click on the snap-in and select Manage AD Containers.
  4. Click on each container and verify that your certificates are there.
Remove CA certificates from desktop
  • When the CA certificates are published, remove the CA certificates from the desktop.

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.