A. To create a certificate trust list (CTL), you first need to configure each domain with a list of Certificate Authorities (CAs) the domain trusts, to let the domain’s users request certificates. First, you need to install an Enterprise CA. (See the FAQ How Do I Install an Enterprise Certificate Authority?.) You also need an Administrator certificate or an explicit Trust Signing certificate. The following steps outline how to request an Administrator certificate.

  1. Start the Microsoft Management Console (MMC).
  2. From the Console menu, select Add/Remove Snap-in.
  3. Click Add.
  4. Select Certificates, and click Add.
  5. Select My user account as the type, and click Finish.
  6. Click Close.
  7. Click OK to return to the main dialog box.
  8. Expand the Certificates root, and right-click Personal.
  9. From the All Tasks menu, select Request New Certificate, as the Screen shows.

    Click here to view image

  10. Click Next in the Certificate Request Wizard dialog box.
  11. Select the Administrator template, and click Next.
  12. Enter a user-friendly name and description, and click Next.
  13. Click Finish when the confirmation screen displays.
  14. When the dialog box displays to confirm the certificate creation, click Install Certificate.
  15. Finally, click OK in the success dialog box.

As the Screen shows, you can use the MMC Certificates snap-in to view the certificate and see that the Enterprise CA rather than the local Administrator issued the certificate.




To create the CTL, perform the following steps.

  1. Start the MMC Active Directory Users and Computers snap-in. (From the Start menu, select Programs, Administrative Tools, Active Directory Users and Computers.)
  2. Right-click the domain, and select Properties.
  3. Select the Group Policy tab.
  4. Select Default Domain Policy (or another policy), and click Edit.
  5. Select User Configuration, Windows Settings, Security Settings, Public Key Policies, Enterprise Trust.
  6. Right-click Enterprise Trust, and select New, Certificate Trust List, as the Screen shows.



  7. When the Certificate Trust List Wizard, which the Screen shows, starts, click Next.



  8. You can enter a prefix for the CTL and the purpose (e.g., Encrypting File System—EFS).
  9. Click Next.
  10. Select a certificate, click Add from Store, select a domain certificate, and click OK. Click Next.
  11. Select a signature (i.e., the Administrator you created), click Select from Store, select a the certificate that displays, and click OK. Click Next.
  12. You can add a timestamp if you want. Click Next.
  13. Enter a user-friendly name and description. Click Next.
  14. Click Finish when the summary page displays.
  15. Click OK in the success dialog box.