Begin by creating the service account:
Step 1. Add a new Active Directory user, such as SCEP_User.
Step 2. Ensure the user is added to the IIS_IUSRS local group.
Step 3. Install Active Directory Certificate Services.
Step 4. From Server Manager, select Add Role.
Step 5. Select Active Directory Certificate Services.
Step 6. Click Next.
Step 7. Select Certification Authority, Certification Authority Web Enrollment, Online Responder, and Certificate Enrollment Policy Web Service.
Step 8. Click Next.
Step 9. Select Enterprise to use Directory ...