Checklist: Configuring certificates for a federation server
Applies To: Windows Server 2003 R2
This checklist includes the deployment tasks for configuring certificates on a federation server running Windows Server 2003 R2, Enterprise Edition.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
.gif "Checklist")
Checklist: Configuring certificates for a federation server
| Task | Reference | |||
|---|---|---|---|---|
.gif "Checkbox") |
Before you install the Federation Service component on a computer that will become a federation server, read about the importance of obtaining and (for federation server farms) sharing a server authentication certificate and token-signing certificate across all the servers in the farm. |
|||
|
(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use the SelfSSL.exe tool to acquire a sample certificate for your federation server. Because the SelfSSL tool generates a self-signed certificate that does not originate from a commonly trusted source, use the SelfSSL tool only in the following scenarios:
|
|
||
|
(Optional) As an alternative to obtaining a token-signing certificate from a CA, you can use the Windows Components Wizard (during the installation of the Federation Service component) to create a self-signed token-signing certificate automatically, or you can use the MakeCert.exe tool to acquire this certificate for your federation server. The MakeCert tool generates X.509 root certificates. It is typically used for testing purposes. Caution It is not a security best practice to deploy a federation server in a production environment using a self-signed token-signing certificate. |
|||
|
(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) and then import it into the personal store of the local federation server computer. Exporting the private key is not required when your issued token-signing certificate can be reused by multiple computers (without the need to export) or when you will obtain unique token-signing certificates for each federation server in the farm. |
|
||
|
(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing server authentication certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate. Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm. |
|
||
|
After you obtain a server authentication certificate (or private key), you must then import the certificate file to the default Web site for each federation server. |
|
||
|
Go back to the main federation server checklist, and proceed to the next task (Install the Federation Service component of ADFS). |
.gif "Conceptual topic")
.gif "Caution")
Caution.gif "Procedure topic")
.gif "Checklist topic")