I have a 2012 2 tier PKI environment. Offline root CA and 4 Enterprise Issuing CA's. The offline root CA has been published to AD, the enterprise issuing CA's are in AD by virtue of being enterprise CA's. My question is how did the root cert and the issuing CA's certs get into the local stores on each machine. Auto enrolment has not been configured on the computer OU's.
Is there a GPO in the default domain policy, or is there another mechanism that does this? certutil -pulse does an reenrolment for any pending certs (root and issuing included) what mechanism is this calling, ie.e what protocol is this using.
Thanks