All certification authority (CA) certificates in the Active Directory domain of the current forest are stored in the NTAuthCertificates container. Enterprise CA certificates are added automatically when a new CA is installed.

If a CA certificate is not added automatically when the new CA is created, such as a stand-alone CA created by a user who is not a member of the Enterprise Admins group, the CA certificate can still be added manually to the NTAuthCertificates container. This process can also be used to add the CA certificate of a non-Microsoft CA that has been used to issue smart card logon or domain controller certificates. By publishing these CA certificates to the Enterprise NTAuth store, the administrator indicates that the CA is trusted to issue certificates of these types.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

To add a certificate to the NTAuthCertificates container by using the Windows interface
  1. Export the certificate of the CA to a .cer file that supports either the Distinguished Encoding Rules (DER)-encoded binary format or the base-64 encoded X.509 format.

  2. Open the Enterprise PKI snap-in, right-click Enterprise PKI in the console tree, and click Manage AD Containers.

  3. Click the NTAuthCertificates container.

  4. Click Add, and browse to the .cer file for the certificate that you want to add. Click OK.

You can also add a certificate to the NTAuthCertificates container by using the Certutil command-line tool.

To add a certificate to the NTAuthCertificates container by using a command line
  1. Export the certificate of the CA to a .cer file that supports either the DER-encoded binary format or the base-64 encoded X.509 format.

  2. Open a command prompt window, type the following command, and press ENTER:

    certutil -dspublish -f filename NTAuthCA