This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 93%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
I am very confused by the process of publishing Root and Intermediate certificates to AD and how they deploy to servers across an enterprise. When I publish the Root and Intermediate CA certs to the AIA and Certification Authorities Containers in AD, some servers will pull the new certificates into their trust stores and others will not.
When looking for any documentation around this process, I cannot find much. Does anyone out there know the process from beginning to end? Also, does anyone have an idea of why some would pull the certs from AD and others would not?
Thank you to anyone who can shed light on these dark times.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
If you have installed enterprise PKI , all member machines will detect the certificate automatically when you restart it or run the following command manually:
certutil -pulse
If the client is unable to detect the root certification automatically, I think it may be network flow issue.
Please don't forget to mark this reply as answer if it help to fix your issue
Hi
You can follow the link below:
public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services
Please don't forget to mark this reply as answer if it help you to fix your issue
Hi,
Thank you for this response, but I am looking for a little more depth about the overall process. I have Enterprise CA's deployed, and their certs are already all published to AD. What I am wondering is what is the background process that helps get that certificate deployed throughout the enterprise.
I believe it is the Autoenrollment feature on clients (Servers and Workstations) that initiates the check-in, and the files are downloaded. But is that feature enabled by default? How would I check to see if it is enabled on a ___domain-joined system that does not have the certs in its trust store but has been joined to the ___domain for years?