Trusted root certification authorities for federation trusts

Applies to: Exchange Server 2013

To establish a federation trust between your Microsoft Exchange Server 2013 organization and the Azure Active Directory authentication system, you need a digital certificate installed on the Exchange server used to create the trust. We strongly recommend using a self-signed certificate. A self-signed certificate is created and installed automatically when using the Enable federation trust wizard in the Exchange admin center (EAC).

If you don't want to use the recommended self-signed certificate, you should request and install an X.509 Secure Sockets Layer (SSL) certificate from a certification authority (CA) trusted by Microsoft. Although certificates issued by other CAs may also be used to establish a federation trust with the Azure AD authentication system, they aren't certified by Microsoft to date.

The following table lists CAs currently trusted Microsoft. These CAs have been tested for use with Exchange 2013.

CA friendly name Issued by Intended purposes
Autoridade Certificadora Raiz Brasileira Autoridade Certificadora Raiz Brasileira Server authentication, client authentication
Comodo Comodo Certification Authority Server authentication, client authentication
CyberTrust Baltimore CyberTrust Root Certificate Authority Server authentication, client authentication
Digicert Digicert Global Root Certification Authority Server authentication, client authentication
Digicert High Assurance EV Digicert Global Root Certification Authority Server authentication, client authentication
Entrust Entrust.net Secure Server Certification Authority Server authentication, client authentication
Entrust (2048) Entrust.net Secure Server Certification Authority Server authentication, client authentication
Equifax Equifax Secure Certification Authority Server authentication, client authentication
GlobalSign GlobalSign Certification Authority Server authentication, client authentication
Go Daddy Go Daddy Class 2 Certification Authority Server authentication, client authentication
Network Solutions Network Solutions Certification Authority Server authentication, client authentication
PositiveSSL Comodo Certification Authority Server authentication, client authentication
SECOM SECOM Trust Systems Certification Authority Server authentication, client authentication
UTN-UserFirst-Hardware Comodo Certification Authority Server authentication, client authentication
VeriSign Class 3 Public Primary Certification Authority Server authentication, client authentication
VeriSign VeriSign Trust Network Server authentication, client authentication

For more information about certificate requirements for Federation, see Federation.