The best way to do this is to follow official guide to deploy cross-forest certificate enrollment: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955842(v=ws.10)?redirectedfrom=MSDN
there are no functional changes since it was introduced, so the article applies to current versions on Windows Server.