Hi, I've setup my offline root CA and Enterprise CA's for each of my domains. I've then run certutil -dspublish -f <certfilename> RootCA to add my offline root CA to my 3 AD's I have trusting the one root CA for the entire organisation. This now appears in AD sites and services\Services\Public Key services\Certification Authorities. The cert chain seems to work just fine. Does this mean that I don't need to add it to group policy Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities?? Is this policy location only used if one would want to make only a subset of a directory (for example one OU) trust a certain CA as a root CA? Otherwise I can't see it's purpose Also, can non Microsoft CA's be added to AD using certutil -dspublish -f <certfilename> RootCA? I don't fully understand the pros and cons for using the different methods. Can someone please explain. Thanks again

Yes, using group policy to define the trusted root will limit the scope of the trust to the scope of the GPO making only a subset of a domain in AD to be trusting the new CA. The certutil -dspublish command as you describe it will import/publish the certificate to the Enterprise RootCA stor and makes it available to the whole AD effecting all domains within as a global trust. Non Microsoft/ADCS CAs can be added to the Enterprise trust as well with no restrictions. /Hasain

Hi, I've setup my offline root CA and Enterprise CA's for each of my domains. I've then run certutil -dspublish -f <certfilename> RootCA to add my offline root CA to my 3 AD's I have trusting the one root CA for the entire organisation. This now appears in AD sites and services\Services\Public Key services\Certification Authorities. The cert chain seems to work just fine. Does this mean that I don't need to add it to group policy Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities?? Is this policy location only used if one would want to make only a subset of a directory (for example one OU) trust a certain CA as a root CA? Otherwise I can't see it's purpose Also, can non Microsoft CA's be added to AD using certutil -dspublish -f <certfilename> RootCA? I don't fully understand the pros and cons for using the different methods. Can someone please explain. Thanks again Group policy has some advantages: 1) a trust may be restricted only within a specified OU 2) you can configure extended properties, like Extended Validation, certificate name, OCSP responders 3) limit a trust only for a specified key usages. Also here is one interesting point. If you remove published certificate from the local store it may not be updated (even after group policy refresh) until a client changes logon server (domain controller).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com