ADFS 3.0 SSL certificate signing request - pt. 2

adfs30certificate01

ADFS 3.0 for its implementation requires a dedicated SSL certificate to be installed in the ADFS servers to provide users with single sign-on access to Office 365 platform.

If you plan to implement Office 365 in your company, ADFS is the service you should consider to keep the authentication process synchronized within all devices. A simpler solution instead of ADFS is the configuration of the DirSync tool but the authentication management is kept separated.

 

Blog series

ADFS 3.0 setup UPN suffix for Office 365 SSO - pt. 1
ADFS 3.0 SSL certificate signing request - pt. 2
ADFS 3.0 install ADFS Server - pt. 3
ADFS 3.0 install WAP Server - pt. 4
ADFS 3.0 federating Office 365 - pt. 5
ADFS 3.0 install Directory Sync tool - pt. 6
ADFS 3.0 deploy Office 365 - pt. 7

 

Prerequisites

To setup the ADFS infrastructure you need the following:

  • At least two Windows 2012 R2 Server joined to the domain
  • One Windows 2012 R2 Server NOT joined to the domain and residing in DMZ area

 

Request the SSL certificate

Since ADFS 3.0 doesn't need IIS as required in previous release but it relies on a SSL certificate to work, before starting the configuration we need to make a certificate request from the machine we are going to use for the ADFS setup.

From Start > Search program and files type the command mmc then press Enter to run the Snap-in console.

adfs30certificate02

From File menu select Add/remove Snap-in option.

adfs30certificate03

Select Certificates then click Add button.

adfs30certificate04

Since the certificate refers to the machine itself, select Computer account option then click Next.

adfs30certificate05

Select Local computer and click Finish.

adfs30certificate06

When the Certificates snap-in is added to the right pane, click OK to open the console.

adfs30certificate07

Expand the Certificates item and right click Personal. Select All Tasks > Advanced Operations > Create Custom Request.

adfs30certificate08

The Certificate Enrollment Wizard opens. Click Next to proceed.

adfs30certificate09

Select Proceed without enrollment policy option then click Next.

adfs30certificate10

Select (No template) CNG key value from the Template drop down menu and PKCS #10 option as Request format. Click Next.

adfs30certificate11

With the certificate template previously selected you will get the error message shown in the picture during the ADFS configuration since CNG private key is not supported. Keep in mind in case of.

adfs30certificate12

ADFS requires a different certificate template type. From the Certificate Enrollment Wizard select (No template) Legacy key value from the Template drop down menu and PKCS #10 option as Request format. Click Next to continue.

adfs30certificate13

Click on Details to show the additional info and click on Properties.

adfs30certificate14

In the General tab type a Friendly name to better identify the certificate and a Description. Select Subject tab when done.

adfs30certificate15

In this tab we are going to configure the certificate properties. From the Type drop down menu select Common name.

adfs30certificate16

In the Value field type the name of your ADFS and click Add. This name is what will be configured in the public DNS. Click Add to add the Common Name to the certificate.

adfs30certificate17

Now select Organization from the drop down menu and type the Value then click Add.

adfs30certificate18

Select Organization unit, type a Value and click Add.

adfs30certificate19

Select Locality, type a Value and click Add.

adfs30certificate20

Select State, type a Value and click Add.

adfs30certificate21

Select Country, type a Value and click Add.

adfs30certificate22

When the certificate properties has been set, select Private Key tab.

adfs30certificate23

Click on the Cryptographic Service Provider's ^ symbol to expand the properties and select Microsoft RSA SChannel Cryptographic Provider (Encryption) option.

adfs30certificate24

Click on the Key options' ^ symbol to expand the properties and set 2048 as Key size.

adfs30certificate25

Enable Make private key exportable option. Click OK to save the certificate properties.

adfs30certificate26

Click Next to continue with the request process.

adfs30certificate27

Type a File Name and set Base 64 as File format. Click Finish to complete the procedure.

adfs30certificate28

Select Certificate Enrollment > Certificates and check if the certificate request shows up in the right pane.

adfs30certificate29

Copy and paste the certificate in the Certificate Signing Request filed of the selected CA.

adfs30certificate30

 

Import the signed certificate

When the CA returns the signed certificate, it must be imported in the machine. From the Certificates' snap-in console, select Personal > All Tasks > Import option.

adfs30certificate31

The Certificate Import Wizard opens. Click Next to continue.

adfs30certificate32

Clicking the Browse button select the signed certificate file then click Next.

adfs30certificate33

Place the certificate in Personal Certificate store and click Next.

adfs30certificate34

Click Finish to import the certificate.

adfs30certificate35

Click OK to close the confirmation window.

adfs30certificate36

Select Personal > Certificates to check the issued certificate. The certificate has been imported successfully in the local computer.

adfs30certificate37

 

Export the certificate with private key

As seen in part 1 during the ADFS setup, another component of the infrastructure (ADFS-WAP) requires the same certificate for its functionality.

From the Certificate console export the certificate including the private key. From Personal > Certificates right click the issued certificate and select All Tasks > Export option.

adfs30certificate38

The Export Wizard opens. Click Next to proceed.

adfs30certificate39

Select Yes, export the private key option and click Next.

adfs30certificate40

Leave default options and click Next.

adfs30certificate41

For security reasons, assign a Password to protect the private key.

adfs30certificate42

Type a File name and click Next.

adfs30certificate43

Click Finish to export the certificate.

adfs30certificate44

Click OK to close the confirmation window.

adfs30certificate45

The certificate .pfx has been exported successfully.

adfs30certificate46

In part 3 we'll start installing the ADFS service in the server as first component of the infrastructure.

firma

2 Comments

  1. Joel 01/12/2015
  2. Gordon 14/12/2016