Export the private key portion of a server authentication certificate

Applies To: Windows Server 2003 R2

Every federation server in an Active Directory Federation Services (ADFS) server farm must have access to the private key of the server authentication certificate. If you are implementing a server farm of federation servers or ADFS-enabled Web servers, you must have a single authentication certificate. This certificate must be issued by an enterprise certification authority (CA), and it must have an exportable private key. The private key of the server authentication certificate must be exportable so that it can be made available to all of the servers in the farm.

To export the private key of a server authentication certificate

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, double-click ComputerName, double-click Web Sites, right-click Default Web Site, and then click Properties.

  3. On the Directory Security tab, click View Certificate, click the Details tab, and then click Copy to File.

  4. On the Welcome to the Certificate Export Wizard page, click Next.

  5. On the Export Private Key page, select Yes, export the private key, and then click Next.

  6. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then click Next.

  7. On the Password page, type and confirm the password that is required to share the server authentication certificate. You will need this password when you import the exported server authentication certificate into the certificate store of the new federation server.

  8. On the File to Export page, specify the certificate file, and then click Next.

  9. On the Completing the Certificate Export Wizard page, click Finish.

  10. Validate the success of your export by confirming that the file you specified is created at the specified location.

    Important

    So that this certificate can be imported to the local certificate store on the new server, you must transfer the file to physical media and protect its security during transport to the new server. It is extremely important to guard the security of the private key. If this key is compromised, the security of your entire ADFS deployment (including resources within the organization and resource partner organizations) is compromised.

  11. Import the exported server authentication certificate into the certificate store on the new server before you install the Federation Service. For information about how to import the certificate, see Import a certificate (https://go.microsoft.com/fwlink/?linkid=20040).