Checklist: Configuring certificates for a federation server
Applies To: Windows Server 2003 R2
This checklist includes the deployment tasks for configuring certificates on a federation server running Windows Server 2003 R2, Enterprise Edition.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
Checklist: Configuring certificates for a federation server
Task | Reference | |||
---|---|---|---|---|
Before you install the Federation Service component on a computer that will become a federation server, read about the importance of obtaining and (for federation server farms) sharing a server authentication certificate and token-signing certificate across all the servers in the farm. |
||||
(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use the SelfSSL.exe tool to acquire a sample certificate for your federation server. Because the SelfSSL tool generates a self-signed certificate that does not originate from a commonly trusted source, use the SelfSSL tool only in the following scenarios:
|
Internet Information Services (IIS) 6.0 Resource Kit Tools (https://go.microsoft.com/fwlink/?LinkId=36285) |
|||
(Optional) As an alternative to obtaining a token-signing certificate from a CA, you can use the Windows Components Wizard (during the installation of the Federation Service component) to create a self-signed token-signing certificate automatically, or you can use the MakeCert.exe tool to acquire this certificate for your federation server. The MakeCert tool generates X.509 root certificates. It is typically used for testing purposes. Caution It is not a security best practice to deploy a federation server in a production environment using a self-signed token-signing certificate. |
||||
(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) and then import it into the personal store of the local federation server computer. Exporting the private key is not required when your issued token-signing certificate can be reused by multiple computers (without the need to export) or when you will obtain unique token-signing certificates for each federation server in the farm. |
Export the private key portion of a token-signing certificate (https://go.microsoft.com/fwlink/?LinkId=75068) Import a certificate (https://go.microsoft.com/fwlink/?linkid=20040) |
|||
(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing server authentication certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate. Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm. |
Export the private key portion of a server authentication certificate |
|||
After you obtain a server authentication certificate (or private key), you must then import the certificate file to the default Web site for each federation server. |
Import a server authentication certificate to the default Web site |
|||
Go back to the main federation server checklist, and proceed to the next task (Install the Federation Service component of ADFS). |