In each Windows domain enrollment endpoint, import the root certificate of the CA that will issue certificates for the enrollment service.
To import the CA certificate
- Log in to the server hosting Active Directory.
- Open the Group Policy Management administrative tool. Select Start > Windows Administrative Tools > Group Policy Management.
The Group Policy Management dialog box appears.
- In the tree view, expand the Domain Controller you will modify.
- Right-click Default Domain Policy > Edit. The Group Policy Management Editor dialog box appears.
- In the tree view, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
- Right-click Trusted Root Certification Authorities and select Import.
The Certificate Import Wizard dialog box appears.
- Click Next.
The File to Import page appears.
- Click Browse and select the root certificate of the CA that will issue certificates for the enrollment service.
- Click Next.
The Certificate Store page appears. - The Certificate Store field is automatically set to Trusted Root Certification Authorities. Click Next.
The Completing the Certificate Import Wizard page appears. - Click Finish.