Share via


Checklist: Configuring certificates for a federation server

Applies To: Windows Server 2003 R2

This checklist includes the deployment tasks for configuring certificates on a federation server running Windows Server 2003 R2, Enterprise Edition.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

ChecklistChecklist: Configuring certificates for a federation server

  Task Reference
Checkbox

Before you install the Federation Service component on a computer that will become a federation server, read about the importance of obtaining and (for federation server farms) sharing a server authentication certificate and token-signing certificate across all the servers in the farm.

Conceptual topicCertificate requirements for federation servers

Checkbox

(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use the SelfSSL.exe tool to acquire a sample certificate for your federation server.

Because the SelfSSL tool generates a self-signed certificate that does not originate from a commonly trusted source, use the SelfSSL tool only in the following scenarios:

  • When you have to create a Secure Sockets Layer (SSL) channel between your server and a limited, known group of users

  • When you have to troubleshoot third-party certificate problems

CautionCaution
It is not a security best practice to deploy a federation server in a production environment using a self-signed server authentication certificate.

Conceptual topic Internet Information Services (IIS) 6.0 Resource Kit Tools (https://go.microsoft.com/fwlink/?LinkId=36285)

Checkbox

(Optional) As an alternative to obtaining a token-signing certificate from a CA, you can use the Windows Components Wizard (during the installation of the Federation Service component) to create a self-signed token-signing certificate automatically, or you can use the MakeCert.exe tool to acquire this certificate for your federation server.

The MakeCert tool generates X.509 root certificates. It is typically used for testing purposes.

Caution   It is not a security best practice to deploy a federation server in a production environment using a self-signed token-signing certificate.

Procedure topicCreate a self-signed, token-signing certificate

Checkbox

(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) and then import it into the personal store of the local federation server computer.

Exporting the private key is not required when your issued token-signing certificate can be reused by multiple computers (without the need to export) or when you will obtain unique token-signing certificates for each federation server in the farm.

Procedure topic Export the private key portion of a token-signing certificate (https://go.microsoft.com/fwlink/?LinkId=75068)

Procedure topic Import a certificate (https://go.microsoft.com/fwlink/?linkid=20040)

Checkbox

(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing server authentication certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate.

Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm.

Procedure topicExport the private key portion of a server authentication certificate

Checkbox

After you obtain a server authentication certificate (or private key), you must then import the certificate file to the default Web site for each federation server.

Procedure topicImport a server authentication certificate to the default Web site

Checkbox

Go back to the main federation server checklist, and proceed to the next task (Install the Federation Service component of ADFS).

Checklist topicChecklist: Installing a federation server