Managing Certificates Used by Federation Server Proxies

Applies To: Windows Server 2003 R2

Servers that are running the Federation Service Proxy component of Active Directory Federation Services (ADFS) are required to use the following types of certificates:

• Secure Sockets Layer (SSL) server authentication certificates: Federation server proxies use SSL server authentication certificates to secure Web services traffic for communication with Web clients. Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). For this reason, you should use a server authentication certificate that is issued by a public (third-party) certification authority (CA) (for example, Verisign). For more information about using SSL certificates, see Configuring Secure Sockets Layer (https://go.microsoft.com/fwlink/?linkid=62785) and Obtaining Server Certificates (https://go.microsoft.com/fwlink/?linkid=62479).

• SSL client authentication certificates: Each federation server proxy uses a client authentication certificate to authenticate to the Federation Service. You can use any certificate with client authentication enhanced key usage (EKU) and that chains to a trusted root CA on the federation server as a client authentication certificate for the federation server proxy. In addition, you must explicitly add the client authentication certificate to the trust policy. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate. You can install a client authentication certificate by connecting to an enterprise CA or by creating a self-signed certificate.

  Important

  Do not use a certificate that was issued by your enterprise CA for client authentication of an Active Directory user (especially a domain administrator) because the private key is stored on the federation server proxy. Storing such a private key on the federation server proxy allows an administrator or other successful attacker to assume the identity that the certificate represents.

  For information about installing client authentication certificates when using Microsoft Certificate Services as your enterprise CA, see "Submit an advanced certificate request via the Web to a Windows Server 2003 CA" (https://go.microsoft.com/fwlink/?linkid=64020). For information about creating self-signed certificates, see Create a self-signed, token-signing certificate.

Task requirements

You need the following to perform the procedures for this task:

• Active Directory Federation Services MMC snap-in

The following procedures for managing certificates on federation server proxies are described in this task. Use these procedures on an as-needed basis.

• Managing Client Authentication Certificates

• Rolling Over a Client Authentication Certificate

See Also

Concepts

Managing Certificates Used by Federation Servers

Other Resources

Understanding Certificates Used by ADFS