Download and Install Third-Party SSL Certificate for AD FS

[This is preliminary content that is currently being developed, reviewed, and updated for the latest release of Lync Server. As a result, it may be incomplete or out of date. Blank topics are included as placeholders. Please send us your feedback, including what content you hoped to find or would find most useful.]  

Topic Last Modified: 2012-06-12

After you have created and downloaded your certificate, you need to install it.

  1. Log on to your AD FS server using the ADFSSvcAcct account.
  2. Click Start.
  3. In the Search dialog box, type Internet Information Server.
  4. Click Internet Information Server (IIS) Manager in the search results.
  5. Click to expand the server you want to update.
  6. Double-click Server Certificates.
  7. Click Complete Certificate Request.
  8. Click the Browse button.
  9. In the file name containing the certification authority’s response, type the path of the certificate you created with your domain registrar, for example c:\\.
  10. Next to the file Name field, choose *.*.
  11. Select the name of your certificate, for example:
  12. Click Open.
  13. Type a friendly name for the certificate, for example AD FS Certificate or
  14. Click OK.

After you install the certificate, you must configure it.

  1. Log on to your AD FS server using the ADFSSvcAcct account.
  2. Click Start.
  3. In the search dialog box type Internet Information Server.
  4. In the search results, click Internet Information Server (IIS) Manager.
  5. Expand the node for your server.
  6. Expand the Sites folder.
  7. Click Default Web Site.
  8. In the Actions pane, click Bindings.
  9. Click https.
    If there is no binding for https, create a new one.
  10. Click Edit.
  11. Select your certificate in the SSL certificate dialog box.
  12. Chose the IP address in which IIS will listen to the request for, such as https://sts, or leave default.
  13. Click OK.

Export a copy of the Third-Party SSL certificate (including Private Key) to be imported on either the Reverse Proxy or AD FS Proxy servers.

  1. Log on to your AD FS server using the Contoso\ADFSSvcAcct account.
  2. Click Start, and then click Run.
  3. Type mmc.exe and press Enter.
  4. Click File, and then click Add/Remove Snap-in.
  5. Select the Certificates snap-in, and then click Add to move it to the list of selected snap-ins.
  6. When prompted to select an account, choose Computer account, then click Next.
  7. Click OK to add the Certificates snap-in to the management console.
  8. From the navigation menu on the left, expand Certificates (Local Computer), then expand Personal, and then expand Certificates.
  9. Select the third-party SSL certificate containing the AD FS FQDN (for example,
  10. From the menu bar, select Action, then click All Tasks, and then click Export.
  11. At the Welcome to the Certificate Export Wizard screen, click Next.
  12. At the Export Private Key screen, choose Yes, export the private key, and then click Next.
  13. At the Export File Format screen, choose Personal Information Exchange - PKCS #12 (.PFX).
    1. Select Include all certificates in the certification path if possible.
    2. Select Export all extended properties.
  14. At the Password screen, enter a password to protect the private key, confirm it, and then click Next.
  15. At the File to Export screen, enter a valid file path and file name (e.g. C:\ADFSCert.pfx), then click Next.
  16. Click Finish to complete the export of the certificate.
  17. Copy the exported certificate (e.g. ADFSCert.pfx) to the Reverse Proxy or AD FS Proxy Servers.