Solved

How to create SSL certificate for ADFS 2.0

Posted on 2015-01-14
3
257 Views
Last Modified: 2015-02-18
I have just been tasked with setting up a stand alone ADFS environment. So far here is what is already in place:

ADFS-01- setup inside the network. This is going to be the actual federation services server.


ADFS proxy Server-  Setup on the perimeter network.  

Both Servers are Win2k8 R2

ADFS 2.0 installed on both Servers.

Here is the problem: when I try to proceed with ADFS configuration, I am asked to provide SSL certificate.

There is domain CA that's being used to issue certs.
Unfortunately, I am not too good with certificate servers. And the CA  server was setup prior to my employment here.  basically, I want to create an SSL cert using the CA and use that  SSL cert to complete the ADFS setup.
If anyone has a step by step guide, please be kind share that with me.

Thanks in advance.
0
Comment
Question by:b3976
  • 2
3 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 40550866
1st check if ADFS will be published on internet ?

In that case do not use CA certificate from internal CA server
U could go out and purchase 3rd party public SSL certificate, you can contact well known public CA for that (Go Daddy, entrust etc.)

If you are not going to publish ADFS on internet, then 1st you install ADFS setup on 2008 R2
http://www.microsoft.com/en-in/download/details.aspx?id=10909 - ADFS Setup
and
http://support.microsoft.com/kb/2790338 - Rollup update for ADFS 2.0

There IIS will get installed and you can request certificate from within IIS from your internal CA server
https://aaronwalrath.wordpress.com/2010/04/16/configure-a-server-certificate-for-iis-7-5/

If you want to request certificate from 3rd party CA:
https://www.digicert.com/csr-creation-microsoft-iis-7.htm
0
 

Author Comment

by:b3976
ID: 40551181
Thanks for your response. Yes, it will be published on the internet.
Getting a 3rd party cert, is that a must?
Why can't use my internal CA to issue the SSL certs?
Security issue?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40551955
For every website with certificate to work correctly from any workstation certificate chain must be already exists on workstation
Certificate chain is nothing but root certificate + Intermediate certificate
For public SSL certificates, this chain is already installed on all workstation by default with OS
As a result you will not face any issues

If you use your CA certificate, its root certificate is not installed on all outside \ internet machines and it will prompt security warning that certificate is not trusted, then you need to provide those each internet machine with root cert of your CA server and they need to install that on their computer
As a fact 3rd party certificate from public CA is highly recommended

Check below links for more information
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376515(v=vs.85).aspx
http://www.entrust.com/chain-certificates/
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

My purpose is to describe the basic concepts of virtual memory as implemented in a modern Windows-based operating system. I will also describe the problems inherent in older systems and how virtual memory solves them. The dark ages - before virtu…
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now