Resolution

Send data collected in chapters https://veridiumid.atlassian.net/l/cp/pfVex0q1 and https://veridiumid.atlassian.net/l/cp/azzhUUG5 to Veridium support team for analysis.

Certification Authority is not trusted in user domain

You need to export CA Root certificate (name it root.cer) and Issuing CA certificate (name it CA.cer).
Note, in some cases it might be same certificate (than simply export it twice using two different names).

On RA server, Install CA management tools: (Domain admin permissions are required for steps 14-16 )

  1. Start Server manager

  2. Client Manage->Add Roles and Features

    image-20230324-123027.png


  3. Click Next on Welcome screen:

    image-20230324-123116.png


  4. Client Next on Select installation type:

    image-20230324-123135.png


  5. Client Next on Server selection:

    image-20230324-123157.png


  6. Client Next on Select Server roles (don’t add/remove anything)

    image-20230324-123216.png


  7. Select Certification Authority Management Tools and click Next button

    image-20230324-123238.png


  8. Click “Install” button

    image-20230324-123259.png


  9. Wait till component is installed and then close window:

    image-20230324-123317.png


  10. Hit Start menu and execute mmc.exe

    image-20230324-123335.png


  11. Go to File menu, option Add/Remove Snap-in…

    image-20230324-123350.png


  12. Select „Enterprise PKI“ on left panel and click „Add“ button. Than click „“ button.

    image-20230324-123401.png


  13. Make a right-click on Enterprise PKI and click “Manage AD containers”

    image-20230324-123431.png


  14. Go to “NTAuthCertificates” tab. Add CA.cer certificate there (by clicking “Add” button).

    image-20230324-123445.png


  15. On your client machine, and on Domain Controller, please execute following command:
    certutil -enterprise -addstore CA.cer NTAuthCA
    Expected response:

    image-20230324-123503.png


  16. Add CA certificate trust: The best is to introduce GPO to distribute CA root certificate as trusted everywhere. Steps are described on: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy