Annex — Certificate Export and NTAuth Store Procedures

The following procedure describes how to manually inspect and export the full certificate chain. The certificate must be trusted by the computer.

1. Press Windows + R and type certmgr.msc to open the user certificate store.
2. Locate and double-click the certificate you want to inspect.
3. Go to the Certification Path tab.
4. The Certificate status field should read "This certificate is valid". If it does not, root or intermediate certificates may be missing.
5. Click each certificate in the chain and use View Certificate to open intermediate certificates for export.

1. On the Details tab of the certificate, click Copy to File.
2. If exporting the end-entity certificate, you may be asked whether to export the private key. Do not export the private key.
3. Select the CER format — either DER-encoded binary or Base-64 encoded.

The NTAuth store holds the CA certificates trusted for smart card logon. If a root or intermediate CA certificate is missing, authentication fails with a "certificate not trusted" error.

First, export the CA certificate to a .cer file (see above). Then use one of the methods below.

Method 1 — PKI Health Tool

1. Install the Windows Server 2003 Resource Kit Tools.
2. Open mmc.exe and add the Enterprise PKI snap-in:
   • Go to Console → Add/Remove Snap-in → Standalone → Add.
   • Select Enterprise PKI, click Add, then Close, then OK.
3. Right-click Enterprise PKI and choose Manage AD Containers.
4. Click the NTAuthCertificates tab, then click Add.
5. Go to File → Open, locate the .cer file, and click OK.

Method 2 — Certutil

certutil -dspublish -f filename.cer NTAuthCA

gpupdate /force