A required element for using the True SSO feature is a Microsoft Certificate Authority (CA). If you do not already have a certificate authority (CA) set up, you must add the Active Directory Certificate Services (AD CS) role to a Microsoft Windows server and configure the server as an enterprise CA. You can use the Service Manager wizard to do this procedure.

The following are standard steps to set up a Microsoft CA. They are detailed in this topic in a simple form suitable for use in a lab environment, but for a real production system it is recommended that you follow industry best practice for CA configuration.

If you need further guidance about setting up a CA, please check out the standard Microsoft technical references: Active Directory Certificate Services Step-by-Step Guide and Install a Root Certification Authority.

Note: To illustrate the process, the specific steps in this topic are based on using Windows Server 2012 R2. Very similar steps can be followed on other Windows server systems. If you want to install the Enrollment Server on the same system that hosts this CA, please ensure you use one of the Windows server versions that are supported for the Enrollment Server. See First-Gen Horizon Cloud - True SSO - Set up the Enrollment Server.


  1. On the Server Manager Dashboard, click Add Roles and Features to open the wizard, and then and click Next.
  2. On the Select Installation Type page, select Role-based or feature-based installation and click Next.
  3. On the Server Selection page, leave defaults and click Next.
  4. On the Server Roles page:
    1. Select Active Directory Certificate Services.
    2. In the dialog, select Include management tool (if applicable) and click Add Features.
    3. Click Next.
  5. On the Features page, click Next.
  6. On the AD CS page, click Next.
  7. On the Role Services page, select Certification Authority and click Next.
  8. On the Confirmation page, select Restart the destination server automatically is required and click Install.
    Installation Progress displays. When the installation is complete, a URL link displays, allowing you to configure the newly installed CA as “Configure Active Directory Certificate Services” on the destination server.
  9. Click on the configuration link to launch the configuration wizard.
  10. On the Credentials page, enter user credentials from Enterprise Admin group and click Next.
  11. On the Role Services page, select CA and click Next.
  12. On the Setup Type page, select Enterprise CA and click Next.
  13. On the CA Type page, select Root or Subordinate CA as appropriate (in this example it is a Root CA) and click Next.
  14. On the Private Key page, select Create a new private key and click Next.
  15. On the Cryptography page, enter information as follows.
    Field Description
    Cryptographic Provider RSA#Microsoft Software Key Storage Provider
    Key Length 4096 (or another length if you prefer)
    Hash Algorithm SHA256 (or another SHA algorithm if you prefer)
  16. On the CA Name page, configure as preferred or accept defaults and click Next.
  17. On the Validity Period page, configure as preferred and click Next.
  18. On the Certificate Database page, click Next.
  19. On the Confirmation page, review the information and click Configure.
  20. Complete the configuration process by performing the following tasks (run all commands from the command prompt).
    1. Configure CA for non-persistent certificate processing
      certutil –setreg DBFlags 
    2. Configure CA to ignore offline CRL errors
      certutil –setreg ca\CRLFlags 
    3. Restart the CA service
      net stop certsvc
      net start certsvc
  21. Set up a certificate template on the CA by following the steps in Horizon Cloud - True SSO - Set Up a Certificate Template on the CA .