How to Configure SSL Certificates for ADFS 2.0

The single most important step when correctly configuring ADFS (Active Directory Federated Services) is the SSL certificate.  This is true if you are using it for Office 365 or for any other purpose.  You should be installing ADFS on a Windows 2008 R2 server and it should be fully patched.  From the server that will be the primary ADFS server in the ADFS server farm you need to create the CSR.  You do not use the IIS certificate manager.  The certificate can be generated via certutil.exe  or the Exchange commandlets but the GUI (Graphical User Interface) is the simplest approach for many people.  Don’t use a self signed certificate or you will be cleaning up a mess when you finally move things into production.

VE Industries specializes in single sign on, ADFS, Azure, Office 365 and Active Directory.  We can help you with your ADFS implementation.  Contact us and we are happy to assist you.

Creating the CSR

To generate the certificate CSR (Certificate Signing Request) for ADFS (Active Directory Federation Services) you have to use the certificate manager MMC (Microsoft Management Console) snapin or run certmgr.msc.  This will open the certificate repository.  Right click on the Personal store and select All Tasks, Advanced Operations, Create Custom Request.  This will start the wizard.   Click Next and then overcome the first challenge.  In the Certificate Enrollment Policy screen, click and highlight Proceed without enrollment policy  

Change the Template Option to Legacy Key

The next screen is where the details become important.

Settings for ADFS 2.0 SSL certificates

An ADFS 2.0 SSL certificate has a couple of critical settings.

  1. The URL of the ADFS server must be set as in Subject Name of the certificate and should be set as a common name or CN.  That means the veindustries.com implementation would be fs.veindustries.com and the format of the subject name is CN=fs.veindustries.com.  You can utilize a SAN certificate (Subject Alternate Name certificate) if you like to cover the other server names but the Subject Name on the certificate will become the service name in ADFS so don’t mess it up.
  2. The Key Length must be 2048 or higher.
  3. The Private Key must be exportable.
  4. Don’t set the Subject Name be the same as the server.

Configure the certificate via the Properties before clicking Next. Add the subject name and any other server names using the Directory Name type.  I usually set the Friendly Name as the DNS name of the cert so it can be tracked easily later.  Set Server Authentication and Client Authentication in Enhanced Key Usage.  Update the private key and the key length as well.

Installing the Cert

After you click OK, you can move on to the export of the key.  Upload the CSR to the your favorite CA.  When you install the cert you can continue with the ADFS configuration.  Based on a quirk with permission on private keys and how Microsoft does the certificate requests and storage, you may receive an error such as an Event ID 133.  See http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-federation-service-startup-and-shutdown-problems%28v=ws.10%29.aspx .  The ADFS service account needs permissions to read the private key and the private key needs to be in the same store as the certificate.  Let us help you!