Hello,

at first I would like to say that I have made some researches on this forum and in the Internet overall.

I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.

Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.

Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,

What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?

I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can see all templates which I should see, but when I try to enroll I got an error:

(translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider

My root CA cert is added to trusted publishers for computer and user node as well.

What could be wrong? If you have any ideas or questions, please share or ask. 

Thank you in advance.