I'm having difficulty using a certificate obtained from a Enterprise Root CA as a signing and / or Decryption certificate. I've chosen not to use the automatic roll-over of the signing certificate because of the risk that my relying parties are no longer able to use the AD FS server when this occurs. In my experience systems administrators forget to manage the updating of relying parties pro-actively. I choose the Enterprise Root CA because that way I can have SharePoint trust the CA Root certificate so I do not have to trust a new certificate every time the signing certificate updates.
The point is now: I only can use a certificate from a Enterprise Root CA if I request it from IIS (so a web server certificate). Which does not have the life-time and keylength I want. When I create a new Certificate template based on the web server certificate template, no matter what I do I get an ADFS event 133 (cannot access private key). I do have private key permissions set properly (like I do with the key generated from IIS) so I guess there is something else about the certificate that AD FS does not like.
This is driving me nuts. Who knows how to solve this?
(Btw: I have a 2012 AD FS server and a 2008 R2 domain controller).
On step 1b under the section 'Replacing the Token-Signing certificate' you should type 'Import-Module ADFS' instead of 'Add-Pssnapin Microsoft.Adfs.Powershell' from PowerShell.