Setting up AD FS with SSL cert

Hi All

We need to setup an AD FS solution to connect to a 3rd party we use for email archiving to allow SSO,

We have an 2008 Domain with one of the DC's is also a root CA which i have been told we must use :(

I am struggling to understand how we create the certificate, I followed a guide to copy a Web server Template and given it a unique name in Certificate services on our CA,

Next i think i need to get a certificate on the server we are installing ADFS on, the guide said import as a user certificate but when i tried that the template was unavailable, does this need to be a Computer Certificate?

After we have configured this i guess then we need to export our root Certificate and provide it to the 3rd party so they trust our cert, how do i do that?

Any help will be gratefully received

Thanks
LVL 5
ncomperAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
You need to go to root ca console and from there you can export root ca certificate without private key which can be imported later.

Check below URL
http://pic.dhe.ibm.com/infocenter/rdirserv/v5r1m0/index.jsp?topic=%2Fcom.ibm.rational.rds.administering.doc%2Ftopics%2Ft_Exporting_certificate_Active_Directory_server.html

http://support.microsoft.com/kb/555252

Certificate Common name (issued to) should resolve to your ADFS service FQDN, not domain controller.

Mahesh
0
 
MaheshArchitectCommented:
You require Server authentication (certificate (X.509) SSL certificates, user certificates are not required.
1st you need to decide if you require Public SSL certificate or Internal CA SSL certificate ?

If you are publishing your ADFS server on internet, then its recommended to have Public SSL certificate.
You can use SSL certificate from internal CA server, But in that case your root CA server certificate must be installed on all client computers and servers who are going to access your ADFS server. Hence it is not recommended

Certificate Common name must be set to your ADFS service name FQDN
For ex: adfs.domain.com

You can use IIS console to generate SSL certificate request from your internal CA or from external Public CA
You can navigate to Server Certificates in IIS console to follow certificate request wizard
In wizard there is option given if you wanted to generate certificate from internal online CA or if you want to generate new certificate request (.req) file and get the certificate from external public CA

Alternatively, If you have enterprise root CA, then it has got certificates templates, you need to duplicate existing Web Server template and need to provide read and enrol permissions to  ADFS server account on that template so that you can request SSL certificate from internal CA

http://msmvps.com/blogs/acefekay/archive/2012/02/21/iis-7-amp-iis-7-5-how-to-create-an-ssl-certificate-request.aspx
http://www.youtube.com/watch?v=I8gLSt4O8nI

Mahesh
0
 
ncomperAuthor Commented:
Hi Mahesh

Thanks for your reply

The provider stated they will accept our internal cert, so will need to export our root CA's cert, how do i do that?

Also in regards to the FQDN for the cert, do i need to ensure that this resolves to the IP of our AD FS server or a Domain controller

Thanks
0
 
ncomperAuthor Commented:
Excellent, Thanks for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.