I have a windows server 2016 which I have installed the feature AD CS and configure an Enterprise Root CA. But now, I want to create a subordinate CA in this server. I have search on the web, but i found that I must have another server AD CS to create a subordinate CA...
Can someone help me ?
Thank you.
PS: I have add an image in attachment, this is the desired result.
You won't find it, as it's not possible. What is the benefit of having two CAs on the same machine?
The reason to have two separate CAs (a Root CA and a subordinate/issuing CA) is so that the Root CA is isolated from the issuing CA and from the network. Normally, they're isolated physically too, and in high-grade PKIs can be in their own secure room with additional security, such as CCTV etc.
The issuing CA takes most of the risk of being compromised by some form of network attack or operator error. If the worse comes to the worse, the issuing CA can be replaced by having the Root CA sign a new certificate for a new issuing CA. Life then goes on without too much disruption. However, if the Root CA is compromised, it's a much more challenging task to replace all the Root CA certificates installed in all relying parties.
By having the two CAs on the same machine you are defeating the benefit above, for no gain whatsoever. If you don't want two CAs, then simply continue to operate the single Enterprise CA.
