If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA.

Prerequisites

If you have an existing instance of Microsoft Certificate Services, consider whether to set up a sub-CA for True SSO. To understand the changes needed for an existing instance to support True SSO, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/article/2149312.

If you don’t have an existing instance of Microsoft Certificate Services, consult the Microsoft documentation to decide on type of deployment to use. To see the Microsoft documentation, search for the string "Server Certificate Deployment Overview" in the Microsoft documentation available at https://docs.microsoft.com.

To deploy a new Root Certificate Authority, search for the string "Install the Certification Authority" in the Microsoft documentation available at https://docs.microsoft.com.

Procedure

  1. Open a command prompt and enter the following command to configure the CA for non-persistent certificate processing:
    certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS 
  2. (Optional) Enter the following command to ignore offline CRL (certificate revocation list) errors on the CA:
    certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
    Note: This setting is usually required to prevent failure of revocation checking, because the root certificate authority that True SSO uses will typically be offline. However, you can skip this setting if you plan to keep the root certificate authority online.
  3. Enter the following commands to restart the service:
    sc stop certsvc
    sc start certsvc

What to do next

Create a certificate template. See Create Certificate Templates Used with True SSO.