SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure. An SSL certificate is a data file hosted in a website’s origin server. SSL certificates make SSL/TLS encryption possible, and they contain the website’s public key and the website’s identity, along with related information. Since certificates play a vital role in securing communications between federation servers, claim-aware applications, web clients, etc. Therefore, AD FS requires a certificate for Secure Socket Layer (SSL) server authentication on each federation server in your federation server farm. See the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.
If you are not going to perform the certificate request yourself and you are requested to provide the components needed to create a certificate for you, Please provide the following information as described here
Here are the steps for setting and Configuring AD FS
Install the Federation role on the Server (AD FS)
This will need to replicate to other domain controllers and for safety precautions, DC will have to wait 10 hours from when the key is created to ensure that you are able to answer password-related queries that relate to this key. See this link for more information.
Note: To avoid AD FS from failing to start, you can run this PowerShell command in advance to ensure you meet the 10 hours requirements. The image below shows the service account being used
Step 1 – Request for a certificate to work with AD FS: See the following link for more information.
How to Open Certificate Manager
I use this step in the image below to manage certificates. But I prefer using the alternative method described below in creating certificates. Here I can specify the right snap-in type of users and computers to be managed.
- Click the Start button,
- Type certmgr.msc in the search field, and
- Click the Enter key
Search for run, type certmgr.msc in the open field and press enter. This step will open the local computer certificate management console.
Alternatively, this can be accessed using the MMC
– Click the Start button,
– Type mmc in the search field, and
– Click the Enter key
Or search for run, type mmc in the open field and press enter.
Note: In using the MMC Console, you will have to add the certificate snap-in as shown below.
– Click on file, select add/remove Snap-in
– Select Certificate and click on add
– Select local computer and click on finish
Note: You can also run this on another computer.
– Finally, click on okay.
This will certificate management console. Expand the certificates, you will have access to all folders in the local computer as shown below.
Step 2: In order to create a certificate signing request, follow the steps below.
– Click on Personal, select all tasks, advanced options and Create Custom Request
Click on Next
Select proceed without enrolment.
On the Custom request, leave everything as default.
On the Certificate Information page, expand the details tab as shown below and click on properties.
Enter your desired friendly name and description and click on apply
On the Subject menu, enter the relevant details and click on Apply.
Here: I selected the CN and entered the field
– Under Alternative Name, I entered the same values as the CN as required by ADFS.
– I also entered under DNS the Subject alternate name
– Also entered certauth.domain.de to support authentication on port 443.
– And lastly, I ensured the SAN contained “enterpriseregistration.<upn suffix> for more information, see here
On the Private Key Menu, expand the key option in order to select your desired key size.
When you are done, click on ok and this will display the Certificate Information Window once more
Click on next
– Finally, enter your desired path to store the certificate.
Remember to add the .req to the filename
Click on finish.
– See this guide on how to import the certificate to the Trusted Root and Personal File Certificate Store.
Note: Self-signed certificates are not trusted by default and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.