.oO turn on ~ tune in ~ drop out Oo.
Create Token-Signing and Token-Decrypting Certificates for ADFS 2.0
.tech
Create Token-Signing and Token-Decrypting Certificates for ADFS 2.0
.tech

Create Token-Signing and Token-Decrypting Certificates for ADFS 2.0

If the AutoCertificateRollover feature of ADFS 2.0 is utilized (by default), it’s not necessary to replace the Token-Signing and Token-Decrypting certificates manually. AutoCertificateRollover will create self-signed certificates and set it as primary Token certificates when a time threshold has been met.

Some Relying Parties cannot consume the Federation Metadata automatically so it might make sense to deploy the certificates manually. To maintain the certificates manually it is necessary to set the appropriate value.

  1. Launch Powershell on the Federation Server
  2. Run the following commands:

Add-Pssnapin Microsoft.Adfs.Powershell

Get-ADFSProperties

  1. The value of AutoCertificateRollover will show True (default value) or False
  2. Set the value to False to maintain the certificates manually:

Set-ADFSProperties -AutoCertificateRollover $False

 

Create Certificates (Option 1)

 

  1. Open Internet Information Services Manager
  2. Click on Server
  3. Double-click Server Certificates
  4. Under Actions Create Self-Signed Certificate…

Create Certificates (Option 2)

 

Use the Makecert.exe utility. Makecert.exe is available in the Microsoft .NET Framework 2.0 Software Development Kit (SDK) (x86) (http://go.microsoft.com/fwlink/?LinkId=79548)

makecert -r -n “CN=ADFS Token Signing Certificate” -pe -len 2048 -b 08/31/2012 -e 08/31/2015  -eku 1.3.6.1.5.5.7.3.3 -ss my -sr localMachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 “ADFSTokenSigningCert.cer” -a sha1

makecert -r -n “CN=ADFS Token Decrypting Certificate” -pe -len 2048 -b 08/31/2012 -e 08/31/2015  -eku 1.3.6.1.5.5.7.3.3 -ss my -sr localMachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 “ADFSTokenDecryptingCert.cer” -a sha1

You can set a longer validity period using this option (Option 1 is only for 1 year)

-r            creates o self-signed certificate
-n           specifies the subject’s certificate name
-pe         marks private key as exportable
-len        specifies the generated key length, in bits (must be at least 2048)
-b           specifies the start of the validity period
-e            specifies the end of the validity period
-eku       sets enhanced key usage for Code Signing (not necessary)
-ss          specifies the subject’s certificate store name that stores the output certificate
-sr          specifies the subject’s certificate store location
-sky       specifies the subject’s key type (exchange is used for key encryption and key exchange)
-sp         specifies the subject’s CryptoAPI provider name
-sy          specifies the subject’s CryptoAPI provider type
-a           specifies the signature algorithm (sha256 is only supported by .NET 4.0)

 

Add certificates to ADFS

 

  1. Open ADFS 2.0 Management Console
  2. Expand Service and click on Certificates
  3. Under Actions click on Add Token-Signing Certificate… or Add Token-Decrypting Certificate…
  4. Select the appropriate certificate
  5. Acknowledge the warning message

If a service account for ADFS is used, it’s necessary to add additional read access to the private keys via the Certificate Management Console

  1. Open the Certificate Management Console (Local Computer)
  2. Expand Personal and select Certificates
  3. Right-click the appropriate certificate, select All Tasks, and select Manage Private Keys
  4. Add Read access for the ADFS 2.0 Service Account and click OK

 

Set the new certificate as Primary

 

  1. Open ADFS 2.0 Management Console
  2. Expand Service and click on Certificates
  3. Right-click the added certificate and click Set as Primary

One comment

Comments are closed.