Installing the subordinate CA server
- From the server, log in as a CAAdmin domain user.
- From Server Manager, click Manage > Add Roles and Feature.
- Click Server Roles, select Active Directory Certificate Services and all its features, and then click Next.
-
From the AD CS Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.
Note: Make sure that all the features of Certificate Authority Web Enrollment are added.
- From the Web Server Role (IIS) Role Services section, retain the default settings.
- After installation, click Configure Active Directory Certificate Services on the destination server.
- From the Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.
- From the Setup Type section, select Enterprise CA, and then click Next.
- From the CA Type section, select Subordinate CA, and then click Next.
- Select Create a new private key, and then click Next.
- From the Select a cryptographer provider menu, select RSA#Microsoft Software Key Storage Provider.
- From the Key length menu, select 4096.
- In the hash algorithm list, select SHA512, and then click Next.
- In the Common name for this CA field, type the host server name.
-
In the Distinguished name suffix field, type the domain component.
Sample CA name configuration
- Machine Fully Qualified Domain Name (FQDN): test.dev.lexmark.com
- Common Name (CN): TEST
- Distinguished name suffix: DC=DEV,DC=LEXMARK,DC=COM
- In the Certificate Request dialog box, save the request file, and then click Next.
- Do not change anything in the database locations window.
- Complete the installation.
- Sign the CA request of the root CA, and then export the signed certificate in PKCS7 format.
- From the subordinate CA, open Certification Authority.
- From the left panel, right‑click the CA, and then click All Tasks > Install CA Certificate.
- Select the signed certificate, and then start the CA service.