locked
SHA2 Certs for ADFS RRS feed

  • Question

  • Hi,

    We have started using SHA2 certificates for our environment for the past few months now, these are mostly web servers and certs we issue have been working with no problems.

    Recently, I was asked to renew the certs for our existing ADFS environment. However, I was told by the team that manages ADFS  that the ones we create using existing template for the web servers do not work and the existing SHA2 certs are CNG certs.

    I would like to create a new template for ADFS servers to overcome this issue and keep a separate template just for this purpose. I am not really sure what settings I need to select when creating the template and was hoping if someone can guide me with this.

    Certificate Template Settings we currently use us version 10 running on Server 2016.

    Friday, April 7, 2017 12:42 PM

Answers

  • Hi Lats,

    What Pierre means is that there are 3 certificates on a typical ADFS server.

    Service Communication Certificate - this is just a standard SSL cert, typically signed by a public signing entity such as Verisign, Symantec, Digicert etc. (no template required)

    Token Signing Certificate/Token Encryption Certificate - these certificates are typically self signed (no template required)

    So if you are using your Internal PKI to create any of the above certificates your environment would generally be considered non-standard and we would need more information about how you plan to use the issued certificate to help you create a template.

    As for the CNG/Legacy situation, you can generate an SHA2 cert using legacy CSP, you just select it when you create the certificate request, or use certreq to generate the request... or use the default ADCS Web Enrollment page... or just convert your CNG cert to Legacy by converting it to a P12 file using a non-microsoft tool... many options there.

    Good Luck!

    Shane

    • Marked as answer by Lats Wednesday, April 19, 2017 4:22 PM
    Wednesday, April 19, 2017 3:13 AM

All replies

  • Do you mean for the TLS certificate of for the Token Signing and Token Decrypting certificates?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 18, 2017 2:58 PM
  • Hi Pierre,

    Exactly right. Not sure if there is a way around this?

    Tuesday, April 18, 2017 3:21 PM
  • Hi Lats,

    What Pierre means is that there are 3 certificates on a typical ADFS server.

    Service Communication Certificate - this is just a standard SSL cert, typically signed by a public signing entity such as Verisign, Symantec, Digicert etc. (no template required)

    Token Signing Certificate/Token Encryption Certificate - these certificates are typically self signed (no template required)

    So if you are using your Internal PKI to create any of the above certificates your environment would generally be considered non-standard and we would need more information about how you plan to use the issued certificate to help you create a template.

    As for the CNG/Legacy situation, you can generate an SHA2 cert using legacy CSP, you just select it when you create the certificate request, or use certreq to generate the request... or use the default ADCS Web Enrollment page... or just convert your CNG cert to Legacy by converting it to a P12 file using a non-microsoft tool... many options there.

    Good Luck!

    Shane

    • Marked as answer by Lats Wednesday, April 19, 2017 4:22 PM
    Wednesday, April 19, 2017 3:13 AM