A. To create a certificate trust list (CTL), you first need to configure each domain with a list of Certificate Authorities (CAs) the domain trusts, to let the domain’s users request certificates. First, you need to install an Enterprise CA. (See the FAQ How Do I Install an Enterprise Certificate Authority?.) You also need an Administrator certificate or an explicit Trust Signing certificate. The following steps outline how to request an Administrator certificate.
- Start the Microsoft Management Console (MMC).
- From the Console menu, select Add/Remove Snap-in.
- Click Add.
- Select Certificates, and click Add.
- Select My user account as the type, and click Finish.
- Click Close.
- Click OK to return to the main dialog box.
- Expand the Certificates root, and right-click Personal.
- From the All Tasks menu, select Request New Certificate, as the Screen shows.
Click here to view image
- Click Next in the Certificate Request Wizard dialog box.
- Select the Administrator template, and click Next.
- Enter a user-friendly name and description, and click Next.
- Click Finish when the confirmation screen displays.
- When the dialog box displays to confirm the certificate creation, click Install Certificate.
- Finally, click OK in the success dialog box.
As the Screen shows, you can use the MMC Certificates snap-in to view the certificate and see that the Enterprise CA rather than the local Administrator issued the certificate.
To create the CTL, perform the following steps.
- Start the MMC Active Directory Users and Computers snap-in. (From the Start menu, select Programs, Administrative Tools, Active Directory Users and Computers.)
- Right-click the domain, and select Properties.
- Select the Group Policy tab.
- Select Default Domain Policy (or another policy), and click Edit.
- Select User Configuration, Windows Settings, Security Settings, Public Key Policies, Enterprise Trust.
- Right-click Enterprise Trust, and select New, Certificate Trust List, as the Screen shows.
- When the Certificate Trust List Wizard, which the Screen shows, starts, click Next.
- You can enter a prefix for the CTL and the purpose (e.g., Encrypting File System—EFS).
- Click Next.
- Select a certificate, click Add from Store, select a domain certificate, and click OK. Click Next.
- Select a signature (i.e., the Administrator you created), click Select from Store, select a the certificate that displays, and click OK. Click Next.
- You can add a timestamp if you want. Click Next.
- Enter a user-friendly name and description. Click Next.
- Click Finish when the summary page displays.
- Click OK in the success dialog box.