Skip to content
Posted in

PKI

How to extend certificate enrollment to another forest?

Posted byHemant Bhatt 03 Minutes
CipherTrust Manager instances upgrade

This blog discusses Cross Forest Certificate Enrollment and the steps required to do it.

What is Cross Forest Certificate Enrollment?

  • Enterprises can build a central PKI in one Active Directory Domain Services (AD DS) forest that issues certificates to domain members in other forests by using cross-forest enrolment.
  • By combining certificate templates from many forests into a single PKI that supports all forests, enterprises with current per-forest AD CS implementations can lower the number of CAs.
  • To offer enrollment services across all forests, enterprises with multi-forest settings but no PKI can implement AD CS in a single forest.

Prerequisites

  • Two-way forest trusts exist between account and resource forests.
  • One or more enterprise CAs running on Windows Server.

Steps

Publish the Root CA Information to another Forest.

  1. Log on to a domain controller in the Forest as a member of the Enterprise Admins group.
  2. Insert the USB thumb drive containing the root CA published certificate and CRL.
  3. Ensure you are in the administrative command prompt.
  4. At the command prompt, type “certutil -f -dspublish ” Root CA.crt” RootCA
  5. At the command prompt, type PKIView.msc and press ENTER.
  6. If the pkiview message box appears, click OK to accept the error message if prompted.
  7. In the console tree, right-click Enterprise PKI, and then click Manage AD Containers.
  8. On the Certification Authorities Container tab, ensure that RootCAName appears.
  9. On the AIA Container tab, ensure that RootCAName appears. Click OK.

Publish SubCA information to new Forest Configuration Partition (Enrollment Services and Templates)

  1. Ensure New Forest has Permissions/Delegations configured on CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
  2. From existing forests, modify the scheduled task to update PKIsync.cmd to new Forest (Below additional line to be added)
    .\PKISync.ps1 -sourceForest RESOURCE.LOCAL -targetforest account.LOCAL -type Template -cn ” <certificate template common name>. ” >> C:\Temp\CAScripts\PKSyncCorp.txt
  3. Run the Scheduled task “PKI Cross Forest Replication”
  4. Login to target forest open ADSIEDIT.msc > Connect to configuration partition N=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
  5. Check Enrollment Services > Verify if PKI Servers exist there.
  6. Check Certificate Templates > Verify customer certificate templates exist there

Note: Above cmd only syncs specific templates; you may choose to sync entire containers.

Enterprise PKI Services

Get complete end-to-end consultation support for all your PKI requirements!

Learn More

Publish the SubCA Information to a New Forest. 

  1. Open an administrative command prompt.
  2. At the command prompt, type USB: and then press ENTER.
  3. At the command prompt, type CD \CACerts and press ENTER.
  4. At the command prompt, type certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA and then press ENTER.
  5. At the command prompt, type certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAUthCA and then press ENTER.

Add SubCA Information to the Cert Publishers group in New Forest. 

  1. Open Active Directory Users and Computers.
  2. Connect to the Domain needed
  3. In the console tree, navigate to the CN=Users container.

Note: If the group is not in the default container, search for it within the domain.

  • In the details pane, double-click Cert Publishers.
  • On the General tab, ensure that the group’s scope is Domain Local.
  • Add PKI Servers from the forest as members.

Assign permissions of Forest to Certificate Templates

  1. Open Active Directory certificate authority.
  2. Find Certificate templates > Right Click > Manage
  3. Find the Certificate Templates and go to their properties
  4. Assign users/groups/computers
  5. On the General tab, ensure that the group’s scope is Domain Local.
  6. Add PKI Servers from the forest as members.

Assign permissions on CA so new Forest can enroll Certificates

  1. Open Active Directory certificate authority.
  2. Right Click CA Name > Choose Properties
  3. Navigate to Security > Add Groups of New Forest, which needs to enroll.
References: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff955842(v=ws.10)

Discover Our

Related Blogs

Strong Certificate Mapping

March 3, 2025

Microsoft’s Strong Certificate Mapping Enforcement — What It Means for Your PKI and How to Prepare

Read More
PKI Modernizing

February 21, 2025

Modernizing PKI to Prepare for PQC

Read More
Everything about PKIaas

October 9, 2024

Why Organizations Need PKI-as-a-Service

Read More

Explore

More Topics