What is "root certification of the domain controller"

Question

Note "certification" not "certificate"

Note "Domain controller" not domain.

The MS article says

" the smart card must contain the root certification of the domain controller. "

(Don't let "smartcard" put you off, that's my problem.)

In my TEST environment I have a single DC with a seperate enterprise level CA.

So how do I export the root certification of the domain controller (or rather what is it?)

For ref

https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services

(relevant text in the "note" near the end of the page)

source link: https://social.technet.microsoft.com/Forums/windows/en-US/f90b5639-4dc8-475b-80c5-97ef1e0ab4ab/what-is-quotroot-certification-of-the-domain-controllerquot?forum=winservergen

Answer 1

Hello,

Thank you for posting in our TechNet forum.

According to the note message:

Note If you use the credential SSP on computers running the supported versions of the operating system that are designated in the Applies To list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.

According to my understanding, the root certification of the domain controller is the root certificate of the domain controller, we can export it as below:

1. Logon the DC with domain administrator.
2. Open certlm.msc console.
3. Navigate to Certificates - Local Computer\Personal\Certificates.
4. Find the corresponding certificate and right click it->All tasks->Export.
5. Import the root certificate of the domain controller to Smart Card.

Best Regards,
Anne

Answer 2

Hi,

The root certification mean the root certificate of your CA. Export it from the certificate store of the DC directly.
KEN