Token signing certificate - ok to install on local machine? RRS feed

  • Question

  • Is there any harm in installing the token signing certificate on the ADFS Local Machine? The attached screenshot is what I see after clicking it from Certificates node in AD FS management GUI.

    Tuesday, May 22, 2018 9:14 PM

All replies

  • It looks like you're importing it WITHOUT the private key which frankly is pointless. When I create a new ADFS farm I always create a separate ADFS SSL/Service Communication certificate, ADFS Token Signing certificate and ADFS Decrypting certificate using our internal CA/PKI infrastructure. Next, I export all three certificates WITH the private key and import (allow private key to be exported) them on each ADFS Server in the farm and assign the ADFS Service Account permissions to the private key. This way each ADFS server in the farm has all three certificates.
    Thursday, May 24, 2018 2:06 PM
  • Is there any harm in installing the token signing certificate on the ADFS in the certificates node? Not really, but it's not doing anything there either :) 

    Not a big fan of using Internal CA/PKI infrastructure for issuing token signing certificates for a number of reasons:

    1. The CDP/AIA extensions are not relevant to the token signing discussion since they're not evaluated

    2. You expose your CA CDP/AIA endpoints in federation metadata

    3. Using a self-signed token signing certificate means that you can extend the certificate duration lifetimes of the token signing cert (via tools such as OpenSSL/Keytool etc.) and not be bound to the limitations of your CA, e.g. SHA-1, or the certificate template/lifetime of the Issuing CA

    If you're going down the token signing certificate route, always go the self-signed route unless your InfoSec guys go retro on you and insist on third-party certs or (worse) internal PKI ;)


    • Edited by Mylo Thursday, May 24, 2018 10:56 PM
    Thursday, May 24, 2018 10:56 PM