Export the Active Directory Server's Root Certificate

The task that follows discusses how to export the Active Directory server's root certificate, which is required to connect securely to the management center to obtain user identity information.

Before you begin

You must know the name of your Active Directory server's root certificate. The root certificate might have the same name as the domain or the certificate might have a different name. The procedure that follows shows one way you can find the name; there could be other ways, however.

Procedure

Step 1

Following is one way to find the name of the Active Directory Server's root certificate; consult Microsoft documentation for more information:

  1. Log in to the Active Directory server as a user with privileges to run the Microsoft Management Console.

  2. Click Start and enter mmc .

  3. Click File > Add/Remove Snap-in

  4. From the Available Snap-ins list in the left pane, click Certificates (local).

  5. Click Add.

  6. At the Certificates snap-in dialog box, click Computer Account and click Next.

  7. At the Select Computer dialog box, click Local Computer and click Finish.

  8. Windows Server 2012 only. Repeat the preceding steps to add the Certification Authority snap-in.

  9. Click Console Root > Trusted Certification Authorities > Certificates.

    The server's trusted certificates are displayed in the right pane. The following figure is only an example for Windows Server 2012; yours will probably look different.

    Finding the Active Directory's root certificate under Trusted Root Certificate Authorities.

Step 2

Export the certificate using the certutil command.

This is only one way to export the certificate. It's a convenient way to export the certificate, especially if you can run a web browser and connect to the management center from the Active Directory server.

  1. Click Start and enter cmd .

  2. Enter the command certutil -ca.cert certificate-name .

    The server's certificate is displayed on the screen.

  3. Copy the entire certificate to the clipboard, starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- (including those strings).

What to do next

Import the Active Directory server's certificate into the management center as a Trusted CA Certificate as discussed in Adding a Trusted CA Object.