Step 2: Enroll an SSL Certificate for AD FS
Updated: June 24, 2013
Applies To: Windows Server 2012 R2
Active Directory Federation Services (AD FS) requires a certificate for SSL server authentication on each federation server in your federation server farm. The same certificate can be used on each federation server in a farm. You must have both the certificate and its private key available. For example, if you have the certificate and its private key in a .pfx file, you will be able import the file directly into the Active Directory Federation Services Configuration Wizard. This SSL certificate must contain the following:
Subject name or subject alternative name must contain your federation service name, such as fs.contoso.com
Subject name or subject alternative name must contains the value enterpriseregistration followed by the UPN suffix of your organization, such as, for example, enterpriseregistration.corp.contoso.com
Warning
Specify the subject alternative name if you plan to enable the Device Registration Service (DRS) for Workplace Join.
Important
If your organization uses multiple UPN suffixes, the SSL certificate must contain a subject alternative name entry for each suffix.