For Active Directory to trust the server certificate, you must install the CA certificate chain for the certificate into the server hosting Active Directory. You must install the entire CA certificate chain, from the root CA to the issuing CA (the CA that issued the server certificate). For an on-premises CA, the root CA may be the issuing CA. You must install the CA certificate chain into Active Directory before you install the server certificate.

To install a CA certificate into Active Directory

1. For an on-premises CA, obtain all CA certificates in the CA certificate chain using your on-premises CA tools. See the documentation for your on-premises CA for instructions.
2. For Entrust PKI as a Service, download all CA certificates in the certificate chain:
   

   1. Log in the Entrust Certificate Services interface.

   2. Select Administration > PKIaaS Management.
      A list of private CAs appear.

   3. For each CA in the TLS certificate chain (from the Issuing CA to the Root CA), select the CA and then click Download certificate.

3. Double-click the CA certificate file.
   The Certificate dialog box appears.
   
4. Click Install Certificate.
   The Certificate Import Wizard appears.
5. The Welcome to the Certificate Import Wizard page appears.
   
   
   1. For Store Location, select Local Machine.
   2. Click Next.
6. The Certificate Store page appears.
   
   
   1. Select Place all certificates in the following store.
   2. Click Browse.
      The Select Certificate Store dialog box appears.
      
   3. If the CA certificate is a root CA certificate, select Trusted Root Certification Authorities.
   4. If the CA certificate is a subordinate (intermediate) CA certificate, select Intermediate Certification Authorities.
   5. Click OK.
   6. Click Next.
7. The Completing the Certificate Import Wizard page appears.
   
8. Click OK.