Choosing a Certificate for SSL Encryption

Applies To: Windows Server 2008, Windows Server 2008 R2

Federation servers and federation server proxies require the use of server authentication certificates for different reasons.

Federation servers

Federation servers require server authentication certificates so that clients can establish the server's identity because the federation server presents the client with a server authentication certificate that discloses its source. In this way, a client can verify that the data that is transmitted is usable only by the organization that is identified by the certificate.

Federation server proxies

Federation server proxies require server authentication certificates to secure Web server traffic communication with Web clients. Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). Therefore, when possible use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, Verisign.

Additional references

• Understanding the Federation Service Role Service

• Understanding the Federation Service Proxy Role Service

• Understanding Certificates Used by AD FS