On the server where you want to install the Certificate Authority role:
open PowerShell (as Administrator):
Get-WindowsFeature | Out-GridView -PassThru | Add-WindowsFeature -Verbose
*Did you know:
You can highlight specific text to execute, then press F8. This will execute only the highlighted text.
You can place the curser anywhere on any line, press F8, and the entire line will be executed.
Your results should look similar to below.
Verify that the features appear as below:
Get-WindowsFeature | Where Name -Like *adcs*
You will be prompted to configure the Certificate Services
Open Certification Authority from Server Manager
Test the web enrollment site…
Find the Computer template, right click it and select Duplicate Template.
(I borrowed a few of these screenshots and text from BILLY YORK. Saved me a bit of copy/paste.)
In the Properties of New Template on the Compatibility make sure Show Resulting changes is checked, Certification Authority is Windows Server 2003 and Certificate Recipient is Windows XP/Server 2003.
Under the General tab, give the Template a Name and set the Validity period to something appropriate for your use.
On the Request Handling tab, make sure Purpose is set to Signature and encryption and check Allow private keys to be exported.
On the Cryptography tab check Microsoft Enhanced Cryptographic Provider 1.0 and Microsoft RSA SChannel Cryptographic Provider.
On the Authentication tab, give Authenticated Users Enroll.
On the Extensions tab, under Application Policies make sure Client Authentication and Server Authentication are there.
On Key Usage make sure Digital Signature is checked.
On the Subject Name tab, select Supply in the request.
Click Apply and OK to save the template.
Next, right click on the Certificate Template and select New -> Certificate Template to Issue
Then select our newly created SCOM Client Cert.
Template now appears in the web enrollment dropdown list.