If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA.
Prerequisites
If you have an existing instance of Microsoft Certificate Services, consider whether to set up a sub-CA for True SSO. To understand the changes needed for an existing instance to support True SSO, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/article/2149312.
If you don’t have an existing instance of Microsoft Certificate Services, consult the Microsoft documentation to decide on type of deployment to use. To see the Microsoft documentation, search for the string "Server Certificate Deployment Overview" in the Microsoft documentation available at https://docs.microsoft.com.
To deploy a new Root Certificate Authority, search for the string "Install the Certification Authority" in the Microsoft documentation available at https://docs.microsoft.com.