After a root certification authority (CA) has been installed, many organizations will install one or more subordinate CAs to implement policy restrictions on the public key infrastructure (PKI) and to issue certificates to end clients. Using at least one subordinate CA can help protect the root CA from unnecessary exposure.

If a subordinate CA will be used to issue certificates to users or computers with accounts in an Active Directory domain, installing the subordinate CA as an enterprise CA allows you to use the client's existing account data in Active Directory Domain Services (AD DS) to issue and manage certificates and to publish certificates to AD DS.

Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. If this will be an enterprise CA, membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To install a subordinate CA
  1. Open Server Manager, click Add Roles, click Next, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, click Certification Authority, and then click Next.

  3. On the Specify Setup Type page, click Standalone or Enterprise, and then click Next.

    For more information, see Types of Certification Authorities.

    Note

    You must have a network connection to a domain controller in order to install an enterprise CA.

  4. On the Specify CA Type page, click Subordinate CA, and then click Next.

  5. On the Set Up Private Key page, click Create a new private key, and then click Next.

  6. On the Configure Cryptography page, select a cryptographic service provider, key length, and hash algorithm. Click Next.

    For more information, see Cryptographic Options for CAs.

  7. On the Request Certificate page, browse to locate the root CA, or if the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click Next.

    Note

    The subordinate CA cannot be used until it has been issued a root CA certificate and this certificate has been used to complete the installation of the subordinate CA.

  8. On the Configure CA Name page, create a unique name to identify the CA. Click Next.

    For more information, see Certification Authority Naming.

  9. On the Set Validity Period page, specify the number of years or months that the CA certificate will be valid. Click Next.

  10. On the Configure Certificate Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log. Click Next.

    For more information, see Certificates Database.

  11. On the Confirm Installation Options page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Install and wait until the setup process has finished.