Managing Token-signing Certificates

Applies To: Windows Server 2003 R2

Servers that are running the Federation Service component of Active Directory Federation Services (ADFS) in an account Federation Service require token-signing certificates to sign security tokens that the servers produce. You can view and change the current certificate as needed. You can also manage the certificate revocation list (CRL) to ensure that only valid certificates are in use in the Federation Service.

Task requirements

You need the following to perform the procedures for this task:

• A Federation Service in an account role

• A certification authority or the ability to create self-signed certificates

• Active Directory Federation Services snap-in

To complete this task, perform the following procedures on an as-needed basis:

• Create a self-signed, token-signing certificate

• View the current token-signing certificate

• Turn CRL checking on or off

• Export the public key portion of a token-signing certificate

• Export the private key portion of a token-signing certificate

• Change the token-signing certificate that a federation server uses