From Server Manager, click Manage > Add Roles and Feature.
Click Server Roles, select Active Directory Certificate Services and all its features, and then click Next.
From the AD CS Role Services section, select Certification Authority, and then click Next > Install.
After installation, click Configure Active Directory Certificate Services on the destination server.
From the Role Services section, select Certification Authority > Next.
From the Setup Type section, select Standalone CA, and then click Next.
From the CA Type section, select Root CA, and then click Next.
Select Create a new private key, and then click Next.
From the Select a cryptographer provider menu, select RSA#Microsoft Software Key Storage Provider.
From the Key length menu, select 4096.
In the hash algorithm list, select SHA512, and then click Next.
In the Common name for this CA field, type the hosting server name.
In the Distinguished name suffix field, type the domain component.
Click Next.
Specify the validity period, and then click Next.
Note: Generally, the validity period is 10 years.
Do not change anything in the database locations window.
Complete the installation.