![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the server, log in as a CAAdmin domain user.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From Server Manager, click Manage > Add Roles and Feature.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Click Server Roles, select Active Directory Certificate Services and all its features, and then click Next.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the AD CS Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.
Note: Make sure that all the features of Certificate Authority Web Enrollment are added.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the Web Server Role (IIS) Role Services section, retain the default settings.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
After installation, click Configure Active Directory Certificate Services on the destination server.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the Setup Type section, select Enterprise CA, and then click Next.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the CA Type section, select Subordinate CA, and then click Next.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Select Create a new private key, and then click Next.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the Select a cryptographer provider menu, select RSA#Microsoft Software Key Storage Provider.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the Key length menu, select 4096.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
In the hash algorithm list, select SHA512, and then click Next.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
In the Common name for this CA field, type the host server name.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
In the Distinguished name suffix field, type the domain component.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
In the Certificate Request dialog box, save the request file, and then click Next.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Do not change anything in the database locations window.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Complete the installation.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Sign the CA request of the root CA, and then export the signed certificate in PKCS7 format.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the subordinate CA, open Certification Authority.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the left panel, right‑click the CA, and then click All Tasks > Install CA Certificate.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Select the signed certificate, and then start the CA service.