Publish certificates in a foreign Active Directory forest

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To publish certificates in a foreign Active Directory forest

  1. Log on to the system as an administrator.

  2. Open Command Prompt.

  3. Type:

    certutil -setreg CA\AlternatePublishDomains +"DomainName"

Value Description

certutil

Specifies the name of the command-line program.

-setreg

Modifies the registry.

CA\AlternatePublishDomains

Indicates the registry value that contains a list of Active Directory domains that receive certificate publication.

+

Indicates that if there are current entries stored in this registry value, append this entry to those.

DomainName

Specifies the fully-qualified DNS domain name of the foreign Active Directory domain to publish certificates in.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • A forest trust relationship must exist between the CA's forest and the forest that certificates will be published in before publication in the foreign domain. For more information, see Related Topics.

  • The default permissions in a trust across forests do not allow certificate publication from a foreign forest. To grant the appropriate permissions, use the Delegation of Control Wizard on the foreign Active Directory's root domain to make the following settings:

    Setting Value

    Selected users and groups

    Certificate Publishers group in the foreign Active Directory domain

    Tasks to delegate

    Create a custom task to delegate

    Delegate control of:

    Under Only the following objects in the folder, select Contact objects

    Show these permissions

    Click Property-specific, then select Read userCertificate and Write userCertificate

    For more information on running the Delegation of Control Wizard, see Related Topics.

  • The default membership of the foreign Active Directory's Cert Publishers group does not include the source CA. The source CA's Active Directory computer account must be added to the foreign Cert Publishers group before publishing across forests will work. Because computer accounts cannot be found across trusts across forests by browsing, ensure you know the name of the CA to add.

  • Publication of certificates in a foreign Active Directory requires the e-mail property in the source forest's User object match the e-mail property in the destination forest's Contact object. The e-mail property must be populated on User objects for this to happen. For more information on changing properties of a User object, see Related Topics.

  • To view the complete syntax for this command, at a command prompt, type:

    certutil -setreg -?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start or stop the certification authority service
Forest trusts
Create a forest trust

Other Resources

Delegate control