We have set up a 2 tier internal CA and plan to implement a GPO to add the offline root CA as a trusted certificate authority.
The Enterprise Sub CA will issue certificates used for many purposes. Do we also need to create another GPO for clients to trust the Sub CA?
For computers not joined to our domain, what is the correct way to make these clients trust the certificates issued by the Sub CA (for the "validate server certificate" setting in wireless configuration, for Exchange certificate based authentication and for Intranet web sites that may use an SSL cert issued by the Sub CA)?
I assume we export the certificate to a file and then import that file into these computers, but exactly how? Which certificate do we export? The offline Root's certificate or the Sub CA's certificate and what is the procedure to export it to a file format usable by nonmembers of our domain?