Publishing to Active Directory
The certificate object is published automatically into the CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,ForestRootDomain container as a CrossCA object. The certificate is never distributed to the target CA in the other organization's CA hierarchy. Instead, it is downloaded via autoenrollment to all domain member computers so that the Cross Certification Authority certificate can be used to build certificate chains between the two CA hierarchies. This allows recognition of the partner CA's certificates that meet the qualified subordination conditions.
Note When the autoenrollment process is triggered by Winlogon or a Group Policy refresh interval, the operating system queries Active Directory to download the appropriate certificate stores into the local store on the client machine—for example, root CA certificates, Cross Certification Authority certificates, and the NTAuth container.
When participating in a bridge CA hierarchy structure, the Cross Certification Authority certificates issued by the bridge CA must be manually published by each organization participating in the bridge CA hierarchy structure. This is because the bridge CA is not a member of your organization's forest and is unable to publish its issued Cross Certification Authority certificates into your forest automatically.
You can use the following certutil.exe command to manually publish a Cross Certification Authority certificate into Active Directory:
certutil -f -dspublish <CrossCertFile.crt> CrossCA
Post a comment