From the server, log in as a CAAdmin domain user.
From Server Manager, click Manage > Add Roles and Feature.
Click Server Roles, select Active Directory Certificate Services and all its features, and then click Next.
From the AD CS Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.
Note: Make sure that all the features of Certificate Authority Web Enrollment are added.
From the Web Server Role (IIS) Role Services section, retain the default settings.
After installation, click Configure Active Directory Certificate Services on the destination server.
From the Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.
From the Setup Type section, select Enterprise CA, and then click Next.
From the CA Type section, select Subordinate CA, and then click Next.
Select Create a new private key, and then click Next.
From the Select a cryptographer provider menu, select RSA#Microsoft Software Key Storage Provider.
From the Key length menu, select 4096.
In the hash algorithm list, select SHA512, and then click Next.
In the Common name for this CA field, type the host server name.
In the Distinguished name suffix field, type the domain component.
In the Certificate Request dialog box, save the request file, and then click Next.
Do not change anything in the database locations window.
Complete the installation.
Sign the CA request of the root CA, and then export the signed certificate in PKCS7 format.
From the subordinate CA, open Certification Authority.
From the left panel, right‑click the CA, and then click All Tasks > Install CA Certificate.
Select the signed certificate, and then start the CA service.