Install the DigiCert trusted root certificate

You must install the DigiCert Global Root certificate on all machines that communicate with CONNECT. Follow the procedure below to import the certificates from Windows Update into the local machine’s Trusted Root Certification Authorities store.

To import the Windows Update certificates

1. On a machine with internet access, sign in as a domain administrator.

2. Create a new temporary directory to store the root certificates file (for example, C:\CertFromWU).

3. Start an elevated PowerShell session.

4. Execute the following command to generate the .sst file:

   certutil.exe -generateSSTFromWU C:\CertFromWU\roots.sst

5. On the machine where you want to install the certificates, sign in as a domain administrator.

6. Create a new temporary directory to store the root certificates file (for example, C:\CertFromWU).

7. Copy the roots.sst file generated in step 4 into the temporary directory on the target machine.

8. Start an elevated PowerShell session.

9. Execute the following commands to import the certificates from the .sst file into the certificate store:

   $sstStore = Get-ChildItem -Path C:\CertFromWU\roots.sst

   $sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

10. Execute the following commands to retrieve the list of DigiCert certificates and verify that the DigiCert Global Root CA root certificate was successfully installed:

    $certs = Get-ChildItem -Path Cert:\LocalMachine\Root

    $digicertCerts = $certs | Where-Object { $_.Issuer -like "*Digicert*" }

    $digicertCerts | ForEach-Object { $_.Subject }