Hello there,
By installing the Certification Authority role service of Active Directory Certificate Services (AD CS), you can configure your Windows server to act as a CA.
It would be best to determine how many CAs you will install and in what configuration before installing any CA.
These instructions are applicable to a Microsoft Certification Authority deployed on Windows Server.
Certification Authority Guidance https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831574(v=ws.11)
Constraints: what they are and how they’re used https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/constraints-what-they-are-and-how-they-amp-8217-re-used/ba-p/1129048
---------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–