One of the most popular question and support requests that I get have to do with the SSL certificate that is used for ADFS 2.0. This is the part where people screw up and or don’t follow directions.
I have put together a cheat sheet of bullet points to help you in the right direction
USE PUBLIC CERTIFICATE – Don’t try and use a self-signed certificate as this is not supported by Microsoft.
Because this certificate must be trusted by clients of AD FS 2.0 and Office 365 services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign, GoDaddy or Thawte.
USE SINGLE NAME CERTIFICATE – I have seen instances where a SAN (multi-name) certificate will actually work with ADFS 2.0, but Microsoft does not recommend or support these. Just keep it simple and use a single name SSL certificate.
The Subject name of this SSL certificate is used to determine the Federation Service name for each instance of AD FS 2.0 that you deploy. For this reason, you may want to consider choosing a Subject name on any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Office 365 and this name must be Internet-routable.
USE A SIMPLE NAMING STRING – Keep in mind that the ADFS server farm name and the subject name on the certificate must match. I like to use sts.domainname.com (secure token service) and some people like to use fs.domainname.com (federation services). Ultimately you can choose what you want to name it, just keep it simple and keep in mind that AD FS 2.0 requires this SSL certificate to be without a dotless (short-name) Subject name.
USE ONE CERTIFICATE – Most people seem to think that they need one certificate for each ADFS Server and ADFS Proxy Server. After you create and fulfill the certificate request with the Public CA; make sure to mark the certificates private key as ‘Exportable’. This will allow you to export the certificate and private key to the other servers in the ADFS Farm and Proxy. Take this exported certificate (with private key) and import it to the other servers.
WILDCARD CERTIFICATES – Although the statement below, suggests that it is possible to use wild card certificates; I would lean towards not using them. I have not come across them, yet.
You only add the federation service name if you are using a wildcard certificate for the AD FS 2.0 website.
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Office 365 MVP