scepman-root.cer, you can publish the SCEPman CA certificate (be it a Root CA or an Intermediate CA) with the following command with an account that has Enterprise Administrator rights:
gpupdate /force, e.g. on the domain controllers.
RequestPasswordwith the secure key/password you generated earlier.
-LogToFileparameter. You can instead redirect the Information, Error, and/or Debug streams into files (e.g.
certlm.mscand navigate to Personal). Even after a
gpupdate /force, no new DC certificate from the Internal PKI should appear in the DC's Personal store.