ADFS 2.0 Certificate Requirements

One of the most popular question and support requests that I get have to do with the SSL certificate that is used for ADFS 2.0. This is the part where people screw up and or don’t follow directions.

http://technet.microsoft.com/en-us/library/gg188612.aspx

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx
I have put together a cheat sheet of bullet points to help you in the right direction

  1. USE PUBLIC CERTIFICATE – Don’t try and use a self-signed certificate as this is not supported by Microsoft.

    Per Microsoft

    Because this certificate must be trusted by clients of AD FS 2.0 and Office 365 services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign, GoDaddy or Thawte.

     

  2. USE SINGLE NAME CERTIFICATE – I have seen instances where a SAN (multi-name) certificate will actually work with ADFS 2.0, but Microsoft does not recommend or support these. Just keep it simple and use a single name SSL certificate.

    Per Microsoft

    The Subject name of this SSL certificate is used to determine the Federation Service name for each instance of AD FS 2.0 that you deploy. For this reason, you may want to consider choosing a Subject name on any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Office 365 and this name must be Internet-routable.

     

  3. USE A SIMPLE NAMING STRING – Keep in mind that the ADFS server farm name and the subject name on the certificate must match. I like to use sts.domainname.com (secure token service) and some people like to use fs.domainname.com (federation services). Ultimately you can choose what you want to name it, just keep it simple and keep in mind that AD FS 2.0 requires this SSL certificate to be without a dotless (short-name) Subject name.

     

  4. USE ONE CERTIFICATE – Most people seem to think that they need one certificate for each ADFS Server and ADFS Proxy Server. After you create and fulfill the certificate request with the Public CA; make sure to mark the certificates private key as ‘Exportable’. This will allow you to export the certificate and private key to the other servers in the ADFS Farm and Proxy. Take this exported certificate (with private key) and import it to the other servers.

     

  5. WILDCARD CERTIFICATES – Although the statement below, suggests that it is possible to use wild card certificates; I would lean towards not using them. I have not come across them, yet.

    Per Microsoft

    You only add the federation service name if you are using a wildcard certificate for the AD FS 2.0 website.

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

9 thoughts on “ADFS 2.0 Certificate Requirements

  1. Thilina Randombage

    Is there a list of CAs that are trusted by Office 365 services? You mentioned ‘VeriSign, GoDaddy or Thawte’. Is there anyway that we can check if a particular SSL Provider is trusted by Office 365 services?

    For example, Network Solutions. Are certificates issued by this provider trusted by Office 365 services?

    I ask this because there are CAs that provide free SSL certificates such as http://www.startssl.com/ How can we find out if this is trusted by O365 services? is there a list?

    Reply
    1. Kelsey EppsKelsey Epps Post author

      I am looking for a list (emailed my contacts at Microsoft). The best that I have come up with so far is that they will support all the CA’s that are currently listed in Windows Server 2008/2012 under Third Party Root Certificate Authorities

      Reply
  2. Juzer Ibrahim

    Can we use the certificate issue from Local CA which has been deployed in our infrastructure for the ADFS servers?

    Reply
  3. Wale Olo

    Thanks so much for your help for putting this write-up together. I have a question please, In a load-balanced ADFS and WAP servers setup consist of 4 servers(2 each for ADFS and 2 for WAP), how many SSL certificate is recommended for all the 4 servers? Is it against the best practices to use the same one SSL certificate for all the 4 servers or separate SSL l certificate for ADFS and WAP servers? Thanks for your help as I look forward to hearing from you

    Reply

Leave a Reply