Export the private key portion of a token-signing certificate

Applies To: Windows Server 2003 R2

Every federation server in an Active Directory Federation Services (ADFS) server farm must have access to the private key of the token-signing certificate. If you are implementing a server farm of federation servers that share a single, exportable private key certificate that is issued by an enterprise certification authority (CA), the private key portion of the existing token-signing certificate must be exported to make it available for importing into the certificate store on the new server.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To export the private key of a token-signing certificate

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Right-click Federation Service, and then click Properties.

  3. On the General tab, click View.

  4. In the Certificate dialog box, click the Details tab.

  5. On the Details tab, click Copy to File.

  6. On the Welcome to the Certificate Export Wizard page, click Next.

  7. On the Export Private Key page, select Yes, export the private key, and then click Next.

  8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then click Next.

  9. On the Password page, type and confirm the password that is required to share the token-signing certificate. You will need this password when you select the exported token-signing certificate when installing the Federation Service.

  10. On the File to Export page, specify the certificate file, and then click Next.

  11. On the Completing the Certificate Export Wizard page, click Finish.

  12. Validate the success of your export by confirming that the file you specified is created at the specified location.

    Important

    So that this certificate can be imported to the local certificate store on the new server, you must transfer the file to physical media and protect its security during transport to the new server. It is extremely important to guard the security of the private key.

  13. Import the exported certificate into the certificate store on the new server prior to installing the Federation Service. For information about how to import the certificate, see Import a certificate (https://go.microsoft.com/fwlink/?linkid=20040).

See Also

Concepts

Implementing a Server Farm of Federation Servers