Trusted Root Certification Authorities for Federation Trusts

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

To establish a federation trust between your Microsoft Exchange Server 2010 organization and the Microsoft Federation Gateway, you need a digital certificate installed on the Exchange server used to create the trust. We recommend using a self-signed certificate. A self-signed certificate is created and installed automatically when using the New Federation Trust wizard in the Exchange Management Console (EMC).

If you don't want to use the recommended self-signed certificate, you should request and install an X.509 Secure Sockets Layer (SSL) certificate from a certification authority (CA) trusted by Windows Live. Although certificates issued by other CAs may also be used to establish a federation trust with the Microsoft Federation Gateway, they aren't certified by Microsoft to date.

The following table lists CAs currently trusted by Windows Live. These CAs have been tested for use with Exchange 2010.

CA friendly name	Issued by	Intended purposes
Comodo	Comodo Certification Authority	Server authentication, client authentication
Digicert	Digicert Global Root Certification Authority	‎Server authentication, client authentication
Digicert High Assurance EV	Digicert Global Root Certification Authority	‎Server authentication, client authentication
Entrust	Entrust.net Secure Server Certification Authority	Server authentication, client authentication
Entrust (2048)	Entrust.net Secure Server Certification Authority	Server authentication, client authentication
Equifax	Equifax Secure Certification Authority	‎‎Server authentication, client authentication
GlobalSign	GlobalSign Certification Authority	‎Server authentication, client authentication
Go Daddy	Go Daddy Class 2 Certification Authority	‎Server authentication, client authentication
Network Solutions	Network Solutions Certification Authority	Server authentication, client authentication
PositiveSSL	Comodo Certification Authority	‎Server authentication, client authentication
UTN-UserFirst-Hardware	Comodo Certification Authority	Server authentication, client authentication
VeriSign	Class 3 Public Primary Certification Authority	Server authentication, client authentication
VeriSign	VeriSign Trust Network	‎Server authentication, client authentication

Are you successfully using a certificate for Federation with Exchange 2010 that isn't on this list? If so, you can assist in the CA verification process. Simply click Click to Rate and Give Feedback at the top of this topic and include the CA name and thumbprint information.

For more information about certificate requirements for Federation, see Understanding Federation.

 © 2010 Microsoft Corporation. All rights reserved.