Managing Certificates Used by Federation Servers

Article
06/06/2011

Applies To: Windows Server 2003 R2

Servers that are running the Federation Service component of Active Directory Federation Services (ADFS) are required to use the following types of certificates:

Secure Sockets Layer (SSL) server authentication certificates: Federation servers use SSL server authentication certificates to secure Web services traffic for communication with Web clients and federation server proxies. If you use a standalone certification authority (CA) specifically for your ADFS deployment, you need to manually request, download, and install SSL certificates. These certificates are requested and installed through the Internet Information Services (IIS) snap-in. For more information about using SSL certificates, see Configuring Secure Sockets Layer (https://go.microsoft.com/fwlink/?LinkId=62785) and Obtaining Server Certificates (https://go.microsoft.com/fwlink/?linkid=62479).
Token-signing certificates: Each federation server uses a token-signing certificate to digitally sign all security tokens that it produces. A token-signing certificate can be any certificate that has a digital signature key usage (KU), such as a server authentication certificate or code-signing certificate. Enhanced key usage (EKU) is not required for token-signing certificates. For best results, use a certificate other than the SSL server authentication certificate that you installed on the federation server. Token-signing certificates are installed differently, depending on the server farm method, as follows:
- For the first server in the Federation Service, a token-signing certificate must be requested and installed. You can install a token-signing certificate by connecting to an enterprise CA, a public CA (for example, Verisign), or by creating a self-signed certificate. For information about installing token-signing certificates when using Microsoft Certificate Services as your enterprise CA, see Submit an advanced certificate request via the Web to a Windows Server 2003 CA (https://go.microsoft.com/fwlink/?linkid=64020). For information about installing a token-signing certificate from a public CA, contact your public CA. For information about creating self-signed certificates, see Create a self-signed, token-signing certificate.
- For additional federation servers within a single server farm, you can reuse the same token-signing certificate by sharing its private key, or you can create a unique certificate for each server. When multiple certificates are used, each server in that farm signs tokens with a unique private key. However, you must configure each server with the public keys from all servers in that farm by adding public keys for all certificates to the trust policy as verification certificates.
Verification certificates: Verification certificates are the public key portion of the token-signing certificates of federation servers, and are used to ensure that the security token was issued by a trusted federation server and that it was not modified. Each federation server requires a verification certificate for every token-signing certificate that should be accepted when presented to that federation server, including its own token-signing certificate. In a federated scenario, verification certificates are also associated with each account partner to verify tokens that claim to be issued by that partner’s federation server(s). In farmed scenarios where each federation server uses a different token-signing certificate, there must be a verification certificate that corresponds to each of those servers. If all token-signing certificates that are issued to a set of federation servers are issued by the same CA, you can use the exported public key of that CA certificate for the verification certificate in the trust policy and for use by partners.

The following tasks for managing certificates on federation servers are described in this objective.

Managing Certificates Used by Federation Servers

See Also

Concepts

Other Resources

Additional resources