HELP!!! ADFS 4.0 setup hurdle that I am unsure how to proceed...pertaining to the SSL certificate requirement...

HELP!!!  I am trying to setup ADFS 4.0 in my environment and have run into a roadblock/hurdle that I am unsure how to proceed...well, sort of have an idea, but need confirmation.

Steps already taken
1)  Extended my AD Schema to Server 2016 via media disc and ADPREP commands on my current Server 2008 R2 PDC.
(NOTE:  Currently my FFL = Server 2003 & DFL = 2008)

2) Built the new Server 2016 - Standard Edition VM's on my redundant Hyper-V managers (Server 2012 R2).
(NOTE:  4 total for this setup (2 for ADFS primary & secondary servers (joined to domain) / 2 for ADFS Web App Proxy Primary and Secondary servers (joined to a workgroup))

3) Purchased a third-party CA SSL cert.

However, this is where I am stuck/stumped...with older ADFS version deployments (i.e. ADFS 2.0), required IIS installation which I could use to run a CSR on the primary ADFS server to create the SSL certificate then install it and export it and import it on the other servers in the ADFS setup, but I believe ADFS 4.0 did away with the IIS installation requirements which would make things more secure...

So, how do you create the CSR to complete the third-party CA SSL certificate for the ADFS 4.0 setup?

I thought about building a separate Windows Server 2016 - Standard Edition VM and install IIS on it for this sole purpose, but seems like a lot of time/effort to do this.  I mean if it is my only option then it is what it is and I will go that route, but wanted to confirm with others if there might be other ways or a better way (i.e. best practices, etc.).

Once I have the SSL certificate then I will proceed forward with installing the ADFS server role on the server VM that will be my primary ADFS server and configure it...then I will do the same with my secondary ADFS server....then proceed to install and configure my ADFS web app proxy servers.

Any help you can provide whether suggestions, recommendations, links, articles, YouTube videos, etc. are greatly, greatly appreciated.

Thanks in advance.
rsnellmanIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
Well, you have a couple of options.

1. You can still use IIS to create the certificate request, etc.
2. You can use OpenSSL - here's a link to my blog... the setup instructions are still the same.  After that, Some good instructions for the certs are here.
rsnellmanIT ManagerAuthor Commented:
OK.  Thanks Joseph.

Well, I already purchased a new SSL certificate for this project.

I have never used OpenSSL.  A while back, I think it was, I heard to stay away from OpenSSL as it presents security risks...not sure how true it was nor did I research the claims.

So, how do I utilize the new SSL certificate from with this ADFS 4.0 project deployment without IIS?

If I can't then I will need to create a Windows Server 2016 - Standard Edition VM running IIS to create the CSR and export it to all the ADFS servers, correct?

rsnellmanIT ManagerAuthor Commented:
Could I use powershell on a Windows Server 2016 - Standard Edition to create the CSR file?

I vaguely recall something about using powershell, possibly in Windows Server 2012 or 2012 R2 and ran across this article...
Create a Certificate Request (CSR) with PowerShell

Just a quick thought I had.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

rsnellmanIT ManagerAuthor Commented:
OK.  Here is possibly another way to generate the CSR, but not sure how trustworthy (secure) reliable it is.

Has anyone used CSR Generator?

CSR Generator

So, it looks like I have a couple ways, this one or built-in PowerShell.

However, not sure what to set things to support my ADFS 4.0 project.

Any further assistance is greatly appreciated.
Vasil Michev (MVP)Commented:
If you already have the certificate, why do you need a CSR? Just download the full PFX from the issuer's site.

If you are creating a new CSR, you can perform it on *any* server, it does not have to be the AD FS box. Simply export the cert and the private key after you have obtained it.
rsnellmanIT ManagerAuthor Commented:
My I don't have the SSL certificate yet.  I have purchased a Standard SSL from, but need to create the CSR to upload to them to retrieve the actual SSL certificate from them to apply it and export/import to my remaining ADFS servers / ADFS web app proxy servers.

So, I can create the CSR from any server running IIS services via the GUI (IIS Manager)?  Does it need to be the same OS version (i.e. Windows Server 2016 - Standard) as the ADFS 4.0 servers?  Or can it be any server OS version, say my existing ADFS 2.0 IIS services via the GUI?
Vasil Michev (MVP)Commented:
Any server, any OS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsnellmanIT ManagerAuthor Commented:
OK.  Great to hear.  Never knew that.

So, once I have the third-party CA SSL certificate files, I apply them to the same server used to create the CSR (Complete the CSR).

Then export the SSL certificate from that would I import the SSL certificate on the ADFS servers that are not running IIS services?

Also, once I have the SSL certificate on the ADFS servers, can I remove it from the server used to create / complete the CSR?  If so, how would I remove it?

Thanks again.
Vasil Michev (MVP)Commented:
IIS is not the only way to import certificates, use the Certificates MMC console or PowerShell or the certutil command-line tool. Yes, you can remove the cert from the other server, just make sure to export the private key!
rsnellmanIT ManagerAuthor Commented:
So, where is the private key kept on an IIS server?

Also, where would I move it to or store the private key once I copied it from the IIS server that generated the CSR?

OK.  Well, I was about to submit my request with GoDaddy and decided to call tech support to ask a quick question which lead me down answering a bunch of questions of why I was creating a CSR from a separate IIS server (Windows Server 2016) that will not be a part of my ADFS 4.0 setup.  He basically told me to generate the CSR from the server that will host the certificate.

Now, I am concerned that I might screw something up, but I started thinking that when I have crated CSR's in the past it was generated on the actual IIS server that will be hosting it.  However, with ADFS 4.0 there is an option to import the SSL during ADFS server role setup/configuration, but doesn't seem to utilize IIS services like ADFS 2.0 (Windows Server 2012) did. So, this is got me second guessing myself now.

So, was this GoDaddy tech on to something or just uninformed?
Vasil Michev (MVP)Commented:
IIS does not issue or store certificates. It simply offers an *interface* to do this. The actual steps are performed via the underlying API, exposed via the certutil tool, PowerShell or the MMC console as mentioned above. There are literally hundreds of articles out there detailing how you can do this outside of IIS. In some cases you can even get the full PFX from the issuer site (but you have to provide the public key, which is generally not considered a good idea).
rsnellmanIT ManagerAuthor Commented:
OK.  So, I can continue with submitting my CSR that I generated from a generic IIS (Windows Server 2016) system to have GoDaddy approve and provide me with my public SSL certificate for my ADFS 4.0 deployment, correct?

Thanks again for all of your help.
rsnellmanIT ManagerAuthor Commented:
OK.  So, I used a test Windows Server 2016 server running IIS route as you recommended.

All is well now.

Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.