We have a root certificate for an offline CA that's the root of an enterprise PKI. We're trying to publish it in AD. All the properties in the cert seem to be in order, but when we publish it with certutil, it's injected as "CN=com". Certutil is parsing this out of the cert (the output lines are "ldap:///CN=com,CN=AIA,CN=Public Key Services,CN=services,CN=Configuration,DC=[domain],DC=[ext]?cACertificate") Any idea what we're doing wrong here? Can I use DSCDPContainer and DSCDPCN to force the name?