There are several ways to export Root CA certificate and I will show you 2 easy ways to export the Root Certification Authority certificate for ConfigMgr. The steps are applicable to anyone who wants to download Root CA certificate regardless of ConfigMgr being installed in setup or not.
Before you read further, I assume you have the Certification Authority installed and configured in your setup. You may use my guide to install Enterprise Root Certification Authority. There are two recommended methods to export root CA certificate. You can select any of the below methods to export root CA certificate.
- Using the Command Prompt, export the Root CA certificate.
- Request the Root Certification Authority Certificate from the Web Enrollment Site.
The first method seems to be easy and quick because with a single command, you can export Root CA Certificate. While the second method requires you to access the Root Certification Authority Web Enrollment Site and download the Root Certificate.
While working on ConfigMgr, there are instances when you require Root CA certificate. For example, when you are setting up a CMG, you specify the root certificate while adding the cloud management gateway role. Another example is when your CMG Fails with Error 0x80004005. Specifying the Root CA certificate and tweaking the Client Certificate Revocation solves the issue.
When you deploy PKI certificates for ConfigMgr, you must specify Root CA certificate under the ConfigMgr Site Properties. Most of us ignore this step or we miss it. This is an important step and you shouldn’t skip this step.
Export Root CA Certificate Using Command Prompt
Using the command prompt you can request and export Root CA certificate for ConfigMgr.
- Log into the Root Certification Authority server (Windows Server) with an Administrator Account.
- Click Start and type CMD and run the command prompt as administrator.
- To export the Root CA certificate, run the command certutil -ca.cert C:\RootCA_name.cer
- Look for CertUtil: -ca.cert command completed successfully. That confirms the Root CA has been exported successfully.
- Go to the root drive and you should find the Root Certificate.
Request the Root Certification Authority Certificate from the Web Enrollment Site
The second method involves requesting the certificate from web enrollment site and downloading the Root CA certificate. You can access the URL either from a member server or login to the certificate authority server and export the Root CA Certificate.
Open the browser (preferably Edge or Firefox) and access the Web enrollment site URL which is usually http://servername/certsrv. On the default page, you must select a task and this includes the following options.
- Request a certificate
- View the status of a pending certificate request
- Download a CA certificate, certificate chain, or CRL
Click Download a CA Certificate.
In the next step, click Download CA certificate and save the Root CA certificate to desired location. We have successfully exported the root CA certificate.
Specify the Root CA Certificate under Trusted Root Certification Authorities
Once you have the Root CA certificate exported, you can set it under Trusted Root Certification Authorities.
- Launch the Configuration Manager console.
- Navigate to Administration\Overview\Site Configuration\Sites.
- Select the ConfigMgr site and right click and click Properties.
- On the Site Properties window, click Communication Security tab.
- Look for Trusted Root Certification Authorities option and click the Set button.
- Select the Root CA certificate and apply the certificate. When you do that you will see Root CA specified.
Video Tutorial to export Root Certificate for SCCM
Here is a video tutorial that explains how to export the Root CA Certificate for SCCM.