Create Certificates for AD FS

  • Article

[This is preliminary content that is currently being developed, reviewed, and updated for the latest release of Lync Server. As a result, it may be incomplete or out of date. Blank topics are included as placeholders. Please send us your feedback, including what content you hoped to find or would find most useful.]  

Certificates are an integral part of deploying AD FS with Office 365 identity federation. After Active Directory Federation Services is installed, you will need to request a certificate and then install and assign it.

We suggest that you obtain a separate certificate with the name of your AD FS endpoint (sts.contoso.com) with a trusted third-party SSL provider. Additionally, if your organization uses wildcard certificates (*.contoso.com), review your third-party SSL providers documentation on creating and exporting wildcard certificates prior to proceeding on with this document.

After you have created your certificate, you will need to assign it by following the steps in Download and Install Third-Party SSL Certificate for AD FS

Request an AD FS certificate

Important

The subject name (CN) or subject alternate name (SAN) of your certificate must contain a FQDN which will match the URL that will point your users to AD FS. For example, sts.contoso.com will route your users to https://sts.contoso.com/adfs/ls. It is very important that the subject name (CN) or subject alternative name (SAN) contains an entry matching the FQDN of the AD FS web site for Office 365. If the value does not match, users will get prompted with a certificate warning. This may result in the AD FS web service not being available to external users, who will receive an internal server error 500 when trying to access the ADFS server. The FQDN of the AD FS server should not be the last element of the SAN, otherwise users will get internal server error 500 when trying to connect to the AD FS server.

To request an AD FS certificate

  1. Log on to your AD FS server using the service account created, for example: Contoso\ADFSSvcAcct.

  2. Click Start.

  3. In the search dialog box type Internet Information Server.

  4. Click Internet Information Server (IIS) Manager in the search results.

  5. Click to expand your server.

  6. Double-click Server Certificates.

  7. Under the Actions choices, click Create Certificate Request.

  8. In the Request Certificate dialog box populate the following fields:

    • Common name: sts.yourcompany.com
    • Organization: Your organization’s name
    • Organizational Unit: Value you may designate
    • City/locality: location of your organization
    • State/province: State/province of your organization
    • Country/region: Country/region of your organization

  9. Click Next.

  10. Select Microsoft RSA SChannel Cryptographic Provider (default).

  11. For bit length, choose 2048, then click Next.

  12. In the Specify a File Name for the Certificate Request window type:

  13. C:\adfscertificaterequest.txt (you may select a different folder or filename), and then click Finish.

Create a Third-party SSL Certificate Request

If this is the first time that your organization has obtained a third-party SSL certificates you may want to consider either a UCC or a wildcard certificate for your organization if you plan on needing multiple certificates under the same domain name.

Note

You may skip this step if you already have multiple domains Unified Communications Certificates (UCC) or wildcard certificates with your third-party SSL certificate provider.

If you plan to use your existing Reverse Proxy to handle external Federation Services requests, you should exercise caution when deciding whether to purchase a Unified Communications Certificate (UCC) or a wildcard certificate. For example, if your existing Reverse Proxy uses a single SSL listener and IP address to handle all inbound external requests for Lync Server 2013 Preview, you must use a Unified Communications Certificate (UCC) and not a wildcard certificate. Lync Server 2013 Preview only supports wildcard values if they appear in the Subject Alternative Name (SAN) of a certificate. To create a third-party certificate, see the document for the certificate provider.

Request a certificate with specific hostnames in the SAN using Microsoft Public CA

To request a certificate with specific hostnames in the SAN using Microsoft Public CA

  1. Log on to a computer that can connect to the Microsoft Public CA website http://ssladmin/ssladmin, and connect to the site.

  2. If your site (e.g. lyncmci.com) is not authorized yet, click Site Authorization, click New Request, enter your domain name, and then submit your request.

    Wait for all approvals to process.

  3. Once your domain is approved, create the request for a certificate by doing the following:

    1. On the same computer, create the following INF file, and populate the CN and SAN fields based on your topology. You must use the same computer for all of the following steps, otherwise there will be no private key showing for your certificate.

      ==(start of the INF file)==
[NewRequest]
Subject = "CN=sip.lyncmci.com, OU=Lync, O=Microsoft, L=Redmond, S=WA, C=US" ; must be the FQDN of the web server
;EncipherOnly = FALSE
Exportable = TRUE ; FALSE = Private key is not exportable
KeyLength = 2048 ; Common key sizes: 512, 1024, 2048, 
; 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC ; Omit entire section if CA is Enterprise

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
SAN="DNS=sip.lyncmci.com&DNS=sts.lyncmci.com&DNS=meet.lyncmci.com&DNS=join.lyncmci.com&DNS=webpool1.lyncmci.com&DNS=webpool2.lyncmci.com&DNS=webpool14.lyncmci.com&DNS=cwa.lyncmci.com&DNS=lwa.lyncmci.com&DNS=ap14.lyncmci.com&DNS=dp14.lyncmci.com&DNS=mr14.lyncmci.com&DNS=ap.lyncmci.com&DNS=dp.lyncmci.com&DNS=mr.lyncmci.com&DNS=lyncmci.com"
==(end of the INF file)==

    2. Save the file as certLync.inf.

    3. Create the certificate request file by opening a Command Prompt as an Administrator on the same computer, and then run the following command:

      Certreq -new certLync.inf certLync.txt

      The certificate request is the text file certLync.txt created by this command. Leave the Command Prompt open.

  4. On the same computer, go to the ssladmin web site, and request a certificate in manual mode, and then paste the text content of the certificate request into the box provided. Set the Key length to 2048 bits and then submit the request.

    When prompted to download the generated certificate there will be 3 available formats. Select DER, and then save the certificate on the same computer used to create the request. Save it with a .cer file name extension, for example, certLync.cer.

  5. Return to the open Command Prompt and run the following command:

    Certreq -accept certLync.cer

  6. The certificate should be installed in the Computer Account’s personal store. To verify, open the MMC with the certificate snap-in, and verify that the certificate is in the store with the private key, indictaed by a key icon on the certificate.