Adding a Certificate to ADFS 3.0 on Windows 2012 R2
/ADFS only allows imports through the GUI in the .PFX format. To get around this, add your certificate to the Machine’s Personal Store before configuring the first server in the farm.
Hit WINKEY+R to get to the Run line.
Run Certlm.msc
Select the Machine Personal, right click and Select All Tasks > Advanced Operations > Custom Request. See our blog entry on correctly formatting a CSR.
In ADFS 3.0 you can support a Workplace Join after 2012 R2 domain controllers are in place. If you are going to support this feature, you need to add a Subject Alternate Name (SAN) to your certificate for ADFS:
enterpriseregistration.YOURDOMAIN.TLD
The name has to be “enterpriseregistration” without quotes. This is a canned name like autodiscover for Exchange.
Click Properties
An Example of the ADFS 3.0 Certificate request settings:
I normally recommend a larger key size than the minimum. The defacto minimum these days (2015) is 2048 bits but this is only due to industry players like Microsoft and Google forcing the issue. Many certificates still rely on 1024 bit keys. Given that the industry will continue to probably move to larger keys as a panacea for insecure protocols, a bigger key may save you from having to replace the certificate before its lifetime expires. What about the CPU overhead of a larger key? Modern systems with 64 bit architecture and multiple cores will be largely unaffected by the minimal increase in CPU overhead. If you are doing this on a machine that would be affected, Windows 2012 R2 probably should not be installed on it anyway.
After you receive the certificate, install it on the server with ADFS 3.0
If you will be creating a second machine in the farm, you can export the certificate via a .PFX file. Make sure to export the private key. The export procedure is the same for ADFS 2.0.