If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA.

Prerequisites

If you have an existing instance of Microsoft Certificate Services, consider whether to set up a sub-CA for True SSO. To understand the changes needed for an existing instance to support True SSO, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/article/2149312.

If you don’t have an existing instance of Microsoft Certificate Services, consult the Microsoft documentation to decide on type of deployment to use. To see the Microsoft documentation, search for the string "Server Certificate Deployment Overview" in the Microsoft documentation available at https://docs.microsoft.com.

To deploy a new Root Certificate Authority, search for the string "Install the Certification Authority" in the Microsoft documentation available at https://docs.microsoft.com.

Procedure

  1. Open a command prompt and enter the following command to configure the CA for non-persistent certificate processing:
    certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS 
  2. (Optional) Enter the following command to prevent a service interruption if the root CA CRL is allowed to expire:
    certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
    Note: This setting may be needed if the root CA that True SSO uses is kept offline. You can skip this setting if you plan to keep the root CA online, or you have an automatic procedure to keep the root CA CRL up to date.
  3. Enter the following commands to restart the service:
    sc stop certsvc
    sc start certsvc

What to do next

Create a certificate template. See Create Certificate Templates Used with True SSO.