https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/
doc_1_how_to_setup_microsoft_active_directory_certificate_services_ad_cs_-_virtuallyboring.pdf
To do this properly: Note: this will make your Windows server a subordinate CA with a validity of 20 years (verify the validity period) 1.) You'll need to 1st create a root certificate authority which will be kept offline when not in use. Follow guide on "Dogtag 10 on CentOS ". 2.) Follow "Doc 1 How to setup Microsoft..." with a few changes (and do this on a member server, not a domain controller). Use 4096 key length and SHA512 hash + make it a subordinate CA (not root)this is on Page 17 (this will remove the request to specificy the validity period as shown on page 21), generate the request -> Open Dogtag web UI https://ip.add.res:8443/ then "Enter" then "Certificate Authority" then "SSL End Users Services" then "Manual Certificate Manager Signing Certificate Enrollment". Paste your certificate request in the PKCS#10 box, enter your info and submit. Now go to https://ip.add.res:8443/ca/agent/ca/ then "List Requests" and "Find". Open pending request and approve, make a note of the request # since we'll need this to retrieve it. (optionally change the "Signing Algorithm in box 9 from SHA256withRSA to SHA512withRSA" then approve) go to https://ip.add.res:8443/ca/ee/ca/ then "Retrieval" and enter the request # then Submit. Click on the issued certificate, scroll down and copy the block below "Base 64 encoded certificate with CA certificate chain in pkcs7 format" -> on the Windows server, create a new txt document and paste block into it, save the file with a pb7 extension. Start the certification authority service and it will prompt for the certificate, browse to the file you just created. Then it might complain about not being able to contact the CRL server. To download the certificate revocation list goto: https://ip.add.res:8443/ca/ee/ca/DisplayCRL.html then "Download the latest CRL in binary form". Copy this file to C:\windows\system32\certsrv\certenroll\ then import via an elevated command prompt by typing "certutil -addstore root crlname.crl" If you get stuck on the CRL issue you can disable the check in Windows to buy time for troubleshooting: certutil -setreg caCRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE then to turn it back on: certutil -setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE then restart certsvc Then try starting the service again and it should work. Note: if moving the subordinate CA from one Windows server to another this page might help... not tested yet though: https://social.technet.microsoft.com/wiki/contents/articles/21076.upgrading-the-pki-from-windows-server-2008-r2-to-windows-server-2012-different-host-name.aspx Note: to backup and restore a CA on Windows server, untested... : https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/ca-backup-and-restore-windows-powershell-cmdlets