Trusted Chain Pane

Getting there

Use the Trusted Chain pane to determine which certificates PKI Services Manager uses to verify the authenticity of certificates presented by authenticating parties.

Trust Anchors


Trusted Anchor

Lists your trust anchors.

Click Add to add a certificate to the list. You can add a certificate from your local store or the Windows certificate store. You can also specify a certificate file that's not in any store.



Click Edit to configure certificate-specific settings for revocation or identity mapping. Certificate-specific settings override the global settings configured using the Revocation and Identity Mapper panes.



Use Clone if you have configured certificate-specific settings and you want to add a new certificate that will use all or most of these settings.

Select the certificate and click Clone. This displays the Add Trust Anchor dialog box, which you can use to add the new certificate. From the Add Trust Anchor dialog box, click Properties to view or modify the cloned settings.

Search order to use when building path to trust anchor

certificate search list

Specifies where PKI Services Manager searches for intermediate certificates. Selected locations are searched in order.

Certificate servers

Certificate servers

Lists servers from which PKI Services Manager can retrieve intermediate certificates. To add a server to the list, select "Certificate servers" under Search order to use when building path to trust anchor, and click Add. You can specify either an HTTP or an LDAP server.


  • Changes made on this pane are saved to the PKI Services Manager configuration file (pki_config).
  • Changes made on this pane do not take effect until you reload the settings (Server > Reload) or restart the server.
  • PKI Services Manager uses only those certificates that are installed for use by the local computer (not certificates installed for the current user) and are in either the trusted root certification authorities list or the trusted intermediate authorities list. To view and manage the local computer certificates, use the Microsoft Management Console. Add the Certificates Snap-in and configure it to manage certificates for the computer account.