RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
Version(s):  8.7

The RootCA.cer file contains the public certificate of a Root Certificate Authority (Root CA), which is responsible for issuing and verifying digital certificates in a Public Key Infrastructure (PKI). It needs to be placed in the Trusted Root Certification Authorities container for the following reasons:

To establishing trust

• The Trusted Root Certification Authorities store contains certificates for root CAs that are explicitly trusted by the system.
• Any certificate issued by a trusted root CA is automatically considered valid by the system.

To enable certificate chain validation

• When a client receives a certificate (e.g., from a website or service), it checks the certificate’s chain of trust.
• If the issuing CA’s root certificate is in the Trusted Root Certification Authorities store, the chain is validated, and the certificate is accepted as trustworthy.

Preventing security warnings and errors

• If the RootCA.cer is missing from the Trusted Root store, certificates issued by this CA will not be trusted, leading to security warnings in browsers, email clients, or applications.
• This is especially important for organizations using an internal PKI to issue certificates for internal servers and services.

Ensuring secure communications

• Trusting a root CA allows encrypted connections (e.g., HTTPS, TLS, and VPN connections) to be securely established without trust errors.

Security considerations

• Only import RootCA.cer from a trusted source to avoid security risks like man-in-the-middle attacks.
  Regularly update and monitor the Trusted Root store to remove expired or compromised CAs.

1. Open the Microsoft Management Console (Start > Run > mmc.exe).
2. If the Certificates snap-in is not available, click File > Add/Remove Snap-in to add it.
3. Select Computer account then click Next.
4. Select Local computer then click Finish.
5. On the left pane click Certificates > Trusted Root Certification Authorities > Certificates.
6. Select the root certificate generated by the third-party CA then double-click it to see the Properties page.
7. Click on the Details tab then click Copy to file to start the Certificate Export Wizard.
8. When using the wizard, choose the following:

• • For file format choose DER encoded binary X.509 (.CER).
  • For File Name chose a file that is on the local server
  • When prompted to include all certificates in the certification path, choose No.

9. Open the Group Policy Object Editor and select the group policy object that defines the IP Security policies.
10. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
11. Select Trusted Root Certification Authorities then right click, and select Import to open the Certificate Import Wizard.
12. On the Welcome screen, click Next.
13. Browse to find the root certificate from Step 6.
14. Click through to accept the default values on each screen.
15. Click Finish to complete the wizard.

The root certificate is now in the Active Directory Trusted Root Certification Authorities container. These certificates in this container are now available to any computer that joins the domain to establish trust for the root CA.