locked
CCS (centralized certificate store) & ADFS RRS feed

  • Question

  • From Windows 2012 R2 onwards IIS dependency has been removed from ADFS.

    Shall I use the CCS for ADFS 3.0 ?


    AliahMurfy

    Wednesday, January 4, 2017 4:34 AM

Answers

  • ADFS does not leverage the feature you mention.

    SSL certificates have to be stored in the local store of computer.

    Token Signing and Token Decrypting certificates are encrypted and stored in the ADFS database.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Aliah Murfy Friday, January 13, 2017 9:02 AM
    Saturday, January 7, 2017 6:23 PM

All replies

  • AD FS on Windows Server 2012 R2 (often referred to as “AD FS 3.0”) no longer has a dependency on IIS ideally means you will be no longer will be able to use old methods used to generate a “Certificate Signing Request” (CSR) that is to  use IIS on the server  or by using another IIS server in the organization. And without access to IIS, your options for generating the CSR are to use the MMC snap-in, one of the native command line utilities or some third-party tools.

    Best Options is to use native powershell commands to genertae certificate. 

    Also wrt to cryptography and certificate dependency nothing has changed much, Certificate store will be used as it is in ADFS2.0
    Wednesday, January 4, 2017 9:22 AM
  • We are using 3 party Certificate (neither self-signed or internal PKI) and certificate creation is not the issue.

    CCS is the new extension of TLS\SSL. Can we use them for ADFS certificates???

    More on CCS : Central Certificate Store or Centralized SSL Certificate Support is a feature which allows certificates to be stored on a central location like a file share. This feature is very similar to Shared Configuration, where the certificates are stored on a file share and the servers in farm load them on demand.

    In CCS the files are exported along with the private key (in .pfx format) and stored centrally on a file share. Files are named specifically using a naming convention and stored in the file share which are loaded on demand basis for an incoming SSL request. CCS uses the Server Name Indication information from the Client Hello for functionality.

    https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/


    AliahMurfy

    Thursday, January 5, 2017 4:02 AM
  • Yes you can use them. Underlying principle is same here as here instead of local store cert are stored in central location.
    Thursday, January 5, 2017 7:55 AM
  • How do I implement the CCS for ADFS 3? because I cant find the IIS is installed in Win2012R2 - ADFS STS server.

    AliahMurfy


    • Edited by Aliah Murfy Saturday, January 7, 2017 1:47 PM
    Saturday, January 7, 2017 1:47 PM
  • ADFS does not leverage the feature you mention.

    SSL certificates have to be stored in the local store of computer.

    Token Signing and Token Decrypting certificates are encrypted and stored in the ADFS database.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Aliah Murfy Friday, January 13, 2017 9:02 AM
    Saturday, January 7, 2017 6:23 PM
  • If you are not using self-signed certificates and an Internal CA generated certs you would need to import them on the local Computer store of each node of your ADFS Farm, with the private key, this goes for SSL, Token Signing & Token Decryption certificates

    Tuesday, January 10, 2017 2:05 PM