How to Create a Subordinate ADCS CA in EZCA


  1. Registering the application in your tenant
  2. Selecting a Plan
  3. Create First Root CA

Overview - How To Create an External Issuing/Subordinate CA

As you start to modernize your PKI, you might want to move your Root CA to EZCA. However, your migration plan might still have some on-premises CAs for certain workloads. In this page we will go through how you can sign your external CA (for example ADCS (Active Directory Certificate Services) CA) with your EZCA Root.

Getting Started on Creating Your Microsoft CA

This Guide will guide you on how to create an ADCS CA in a lab environment and will be skipping many security steps. For production settings we recommend following PKI best practices and protecting your CA keys with an hsm and setup a CRL Server. Since setting up a Windows CA can cause major security misconfigurations, we recommend sticking with EZCA CAs, or taking a course such as the PKI Solutions courses to ensure a secure setup.

  1. In your Windows Server (Usually it is recommended Certificate Authorities run on isolated Windows server) open the Server Manager and click on Add Roles and Features.
  2. Click Next on the Before You Begin Page.
  3. Select Role-based or feature-based installation and click Next.
  4. Select the server you want to install the CA on and click Next.
  5. Select Active Directory Certificate Services and click Next.
  6. Click Next on the Add Roles and Features Wizard.
  7. Click Next on the Features page.
  8. Click Next on the AD CS page.
  9. Click Next on the Role Services page.
  10. Click Install on the Confirmation page.
  11. Click Close on the Results page.
  12. Open the Server Manager and click on the yellow triangle on the top right corner.
  13. Click on Configure Active Directory Certificate Services on the destination server.
  14. Click Next on the Credentials page.
  15. Select Certification Authority and click Next.
  16. Select Enterprise CA if you are using a domain joined server, or Standalone CA if you are using a workgroup server.
  17. Select Subordinate CA and click Next.
  18. Select Create a new private key and click Next.
  19. Select RSA#Microsoft Software Key Storage Provider (in this step we would prefer for an HSM provider but for this example we are using software keys).
  20. Select 4096 for the Key Character Length.
  21. Select SHA256 for the Hash Algorithm.
  22. Click Next.
  23. Enter a Common Name for your CA. This is the name that will appear in the certificate. For example “My On Premises Issuing CA”.
  24. Click Next.
  25. Select where you want to save the certificate request (this file will be used to sign the certificate in EZCA). ADCS CA Certificate Request
  26. Click Next.
  27. Select where you want to save the certificate database and the certificate database log.
  28. Click Next.
  29. Click Configure.
  30. It should finish with a warning saying that it is missing the certificate ADCS CA Configure Results
  31. Click Close.
  32. Open the File where you saved your certificate request and copy the contents of the file.

How to Sign the ADCS Certificate Request in EZCA

  1. Go to (or your EZCA instance)
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities.
  4. Select the Root CA you want to sign the ADCS CA and click “Issuance Requirements”. EZCA View your Azure based Certificate Authorities
  5. On the bottom right, click the “Request External CA Certificate” button. EZCA Request External CA Certificate
  6. Enter a friendly name to this CA so you can recognize it in EZCA.
  7. Set the validity period for this CA.
  8. Paste the contents of the certificate request you copied from the ADCS CA.
  9. On the top right, press the “Create CA” button EZCA Create External Microsoft CA
  10. Now you have created your CA certificate, click on the “Download Certificate” button located on the bottom right of the screen to download the certificate. EZCA Download External ADCS CA Certificate
  11. Go back to your ADCS CA and copy the certificate you downloaded from EZCA into that server.
  12. Search on the start menu for “certification authority” and open the Certificate Authority.
  13. Right click on the name of your CA and select “All Tasks” -> “Install CA Certificate”.
  14. Select the CA Certificate file we just copied. (It might default to PKCS7, file type, ensure .cer is selected). ADCS Install CA Certificate
  15. Press the play button on the top right to start the CA.
  16. Your CA certificate has now been installed, you can now enable your templates and start issuing certificates from your new ADCS CA.