Trust Chain Configuration

Export ROOT CA from AD CS

# On Windows DC
certutil -ca.cert C:\Certs\HOME-ROOT-CA.cer

# Convert to PEM
certutil -encode C:\Certs\HOME-ROOT-CA.cer C:\Certs\HOME-ROOT-CA.pem

Import to ISE Trust Store

  1. Navigate to Administration > System > Certificates > Trusted Certificates

  2. Click Import

  3. Upload HOME-ROOT-CA.pem

  4. Trust for: Client Authentication

Trust Chain Architecture

Import to Linux Client

# Copy CA certificate
scp home-dc01:C:/Certs/HOME-ROOT-CA.pem /etc/ssl/certs/

# Update CA bundle (distribution-specific)
# Arch Linux
sudo trust anchor --store /etc/ssl/certs/HOME-ROOT-CA.pem

# Fedora/RHEL
sudo cp /etc/ssl/certs/HOME-ROOT-CA.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Verification

# Verify certificate chain
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem \
    /etc/ssl/certs/workstation01.pem

# Expected: workstation01.pem: OK