Share via


ADFS: Requesting Public Certificate for Token Signing and Token Decrypting

Situation:

the requirement as per the corporate policy for the organization required the Public certificates for Token Signing and the Token Decryption. 

So when we decided to request the certificate from one of the Public Certificate authority the challenge was to create an appropriate request file that can help us to get the appropriate certificate which took quite a time and research. So to spare all of you from investing the resource and the time I am sharing the steps performed.

Steps

The process will be followed in three phases:

  1. First we need to create an inf file.
  2. Then with help of the above file we will create a request file.
  3. Then the request file needs to be sent to Public Certificate Authority

For step 1 as above we will open the notepad and paste the below content (Highlighted text needs to be changed as per your environment) :

1. Create inf file

[Version] 
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=*.contoso.com" ; Remove to use an empty Subject name. 
;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements. 
  
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1          ; Key Exchange – Required for encryption
KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft Strong Cryptographic Provider"
  
RequestType = PKCS10 ; or CMC.
  
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted 
  
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

 

And then save it with the extension .inf 

2. Create Request file

For step 2 you need to create a request file named "ssl.req" using the saved inf file named "ssl.inf" then the command syntax will be as follow: 

certreq –new ssl.inf ssl.req

3. Sent request to CA

For step 3 The request file now can be sent to any third party Certificate Authority.

Once the certificates are ready we need to update token signing and token decrypting certificates in ADFS and set them as primary.

 

Restart ADFS and WAP

Ultimately restart the ADFS service and WAP server!!

Just in case the private key is missing from the certificate we need to run the repair store command:

Certutil -repairstore my "<Thumbprint of the certificate>" my "Personal"

NOTE: There is a downside of using the Public Certificates as Token-Signing and Token-Decrypting as certificate rollover process will not trigger automatically and that requires a manual intervention. Scope of discussing the certificate rollover process is beyond this blog so may be I may share some info on that in my next blog.

The above mentioned process can also be followed if you need to request the certificate from your standalone Certificate Authority.