Under Alternative name, under Type, select DNS. Under Subject name, under Type, select Common name.Įnter your federation service name, for example "fs." and then click Add. Your can see the template you created in the previous step.Ĭlick the More information is required. Right-click the Personal node and choose All Tasks -> Request New Certificate.Ĭlick Next twice to get to the Request certificates page. Open the MMC window and add the Certificates snap-in for the local Computer account.
Request and enroll a new SSL certificate for AD FS Select SSL Certificate Template and click OK. Right click the container and select New, and then Certificate Template to Issue. Under Certification Authority (Local), expand the node with the CA name.Ĭlick to select the Certificate Templates container (under the CA name, not the Certificate Templates snap-in). On the General tab, update the template display name to SSL Certificate Template or similar. On the Request Handling tab, check the Allow private key to be exported box. This is because a domain controller is not a member of domain computers. If you are on a domain controller, repeat the steps above to add read, enroll, and auto-enroll permissions explicitly to the domain controller by name. With Domain Computers selected, check read, enroll, and auto-enroll permissions. In the Certificate Templates snap-in, right-click the Web Server template and select Duplicate.Ĭlick Object Types, check Computers, and then click Ok. For more information, see Active Directory Certificate Services Overview.
In order to complete these, you must deploy and configure AD CS in your environment.
Perform the following procedures to obtain a new SSL certificate from AD CS. Note that the certificate must be publicly trusted (chain to a publicly trusted root CA).Ĭonfigure the obtained certificate as the SSL certificate for AD FS It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. If you are using AD FS with Device Registration Service (DRS), add an additional SAN of type DNS for each UPN suffix in use in your environment, for example. Your federation service name, such as fs. (or an appropriate wildcard entry such as *.) Whether you are obtaining a new SSL certificate from a third party or from an enterprise certification authority (CA), ensure the certificate has subject alternative name entries of type DNS for each of the following:
0 kommentar(er)
