Microsoft AD FS: Create CSR and Install SSL Certificate (IIS 8)

These instructions are for Microsoft Active Directory Federation Services 2.0 on a Windows Server 2012/2012 R2.

Microsoft Active Directory Federation Services (AD FS) doesn’t include an easy GUI for creating a certificate signing request (CSR) and installing your SSL Certificate. Because Microsoft Active Directory Federation Services (AD FS) is designed to run on Microsoft IIS, you can use IIS 8/8.5 to create your CSR, and install your SSL Certificate in the Personal Store.

Next, use Microsoft Management Console (MMVC) to export the SSL Certificate as a .pfx and then import the SSL Certificate .pfx file in to the AD FS Personal Store. Finally, use the AD FS Management Console to assign the SSL Certificate to the AD FS service.

Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL Certificate.

  1. To create your CSR, see Microsoft AD FS: Using IIS to Create Your CSR (Certificate Signing Request).

  2. To install your SSL Certificate, see Microsoft AD FS: Using IIS, MMC, and AD FS to Install Your SSL Certificate.

For a simple way to create a CSR and install your SSL Certificate that works on any Microsoft server platform, you can use the DigiCert® Certificate Utility for Windows. See Microsoft AD FS: Create CSR and Install SSL Certificate (DigiCert Utility). For more information about this utility, see DigiCert® Certificate Utility for Windows.

 

1. Microsoft AD FS: Using IIS to Create Your CSR (Certificate Signing Request)

Microsoft Active Directory Federation Services (AD FS) doesn’t include a GUI for creating a CSR. Because AD FS is designed to run on Microsoft IIS, you can use IIS 8/8.5 to create your CSR.

AD FS: How to Create a CSR Using IIS 8/8.5

These instructions are for Microsoft Active Directory Federation Services 2.0 on a Windows Server 2012/2012 R2.

  1. On your Windows 2012/2012R2 AD FS server, open Internet Information Services (IIS) Manager.

    From the Windows Start screen, type and click Internet Information Services (IIS) Manager.

  2. In Internet Information Services (IIS) Manager, under Connections, select your server’s Hostname.

    IIS 8/8.5 Internet Information Services (IIS) Manager

  3. In the center menu, in the IIS section, double-click the Server Certificates icon.

  4. In the Actions menu, click Create Certificate Request to open the Request Certificate wizard.

    IIS 8/8.5 Internet Information Services (IIS) Manager - Server Certificates

  5. In the Request Certificate wizard, on the Distinguished Name Properties page, enter the following information and then, click Next:

    Common name: Enter the name to be used to access the certificate.
    Make sure that the common name matches the name that clients will use to access the AD FS protected website.
    Organization: Enter the legally registered name of your organization/company.
    Organizational Unit: Enter the name of your department within the organization. For example, you can enter IT or Web Security.
    You can also leave the text box blank.
    City/locality: Enter the city in which your organization/company is located.
    State/province: Enter the state/province in which your organization/company is located.
    Country/region: Type or select your two-digit country code from the drop-down list.
    If necessary, you can find your two-digit country code in our SSL Certificate Country Codes list.

    IIS 8/8.5 Internet Information Services (IIS) Manager - Certificate Import wizard - Distinguished Name Properties

  6. On the Cryptographic Service Provider Properties page, enter the following information and then, click Next:

    Cryptographic service provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider,
    unless you have a specific cryptographic provider.
    Bit length: In the drop-down list, select 2048.

    IIS 8/8.5 Internet Information Services (IIS) Manager - Certificate Import wizard - Cryptographic Service Provider Properties

  7. On the File Name page, click to browse to a location where you want to save the CSR file, enter the filename, and then, click Open. Make sure to note the filename and the location where you saved your CSR file.

    Note:    If you only enter the filename without selecting a location, your CSR file is saved to the following location: C:\Windows\System32.

    IIS 8/8.5 Internet Information Services (IIS) Manager - Certificate Import wizard - File Name

  8. Click Finish.

  9. Use a text editor to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.

    Note:    During your DigiCert SSL Certificate ordering process, make sure that you select Microsoft IIS 8 when asked to Select Server Software. This option ensures that you receive all the required certificates for Microsoft Active Directory Federation Services SSL Certificate installation (Intermediate and SSL Certificates).

    IIS 8/8.5 Internet Information Services (IIS) Manager - Certificate Import wizard - File Name

    Ready to Order Your Microsoft AD FS SSL Certificates

    Buy Now Learn More
  10. After you receive your SSL Certificate from DigiCert, you can install it.


 

2. Microsoft AD FS: Using IIS, MMC, and AD FS to Install Your SSL Certificate

If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see Microsoft AD FS: Using IIS to Create Your CSR (Certificate Signing Request).

These instructions are for Microsoft Active Directory Federation Services 2.0 on a Windows Server 2012/2012 R2.

Microsoft AD FS: How to Install Your SSL Certificate

The installation process consists of the following steps:

  1. Use IIS to install the certificate on your Winodws Server 2012 AD FS server.

    Using IIS 8/8.5 to Install the SSL Certificate on Your AD FS Server.

  2. Use Microsoft Management Console (MMC) to export the certificate as a .pfx file.

    Using the MMC to Export the SSL Certificate as a .pfx File

  3. Use the MMC to import the SSL Certificate .pfx file in to the AD FS Personal Store.

    Using the MMC to Import the SSL Certificate .pfx File in to the AD FS Personal Store.

  4. Use the AD FS Console to assign the SSL Certificate to the AD FS service.

    Using the AD FS Console to Assign the SSL Certificate to the AD FS Service

  5. Use PowerShell to tell AD FS service to use the SSL Certificate.

    Using PowerShell to Enable Your SSL Certificate

 

i. Using IIS 8/8.5 to Install the SSL Certificate on Your AD FS Server

After DigiCert validates and issues your SSL Certificate, you can use IIS to install your SSL Certificate on the server where you generated the CSR.

  1. On your Windows 2012/2012R2 AD FS server where you created the CSR, open the ZIP file containing your SSL Certificate and save the SSL Certificate file (i.e. your_domain_name.cer) to the desktop.

  2. Open Internet Information Services (IIS) Manager.

    From the Windows Start screen, type and click Internet Information Services (IIS) Manager.

  3. In Internet Information Services (IIS) Manager, under Connections, select your server’s Hostname.

    IIS 8/8.5 Internet Information Services (IIS) Manager

  4. In the center menu, in the IIS section, double-click the Server Certificates icon.

  5. In the Actions menu, click Complete Certificate Request to open the Complete Request Certificate wizard.

    IIS 8/8.5 Internet Information Services (IIS) Manager - Server Certificates

  6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, under File name containing the certification authority’s response, click ... to browse to the .cer certificate file that DigiCert sent you, select the file, and then click Open.

    IIS 8/8.5 Internet Information Services (IIS) Manager - Complete Certificate Request - Specify Certificate Authority Response

  7. Next, in the Friendly name box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.

    We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

  8. Next, in the Select a certificate store for the new certificate drop-down list, select Personal.

  9. To install the SSL Certificate on the server, click OK.

    Now that you have successfully installed the SSL Certificate on the server, use the Microsoft Management Console (MMC) to export the certificate as a .pfx file.

 

ii. Using the MMC to Export the SSL Certificate as a .pfx File

  1. On your Windows 2012/2012R2 AD FS server,open the Microsoft Management Console (MMC) as an admin.

    1. From the Windows Start screen, type mmc.exe.

    2. Right-click on mmc.exe.

    3. In the menu at the bottom of the screen, click Run as administrator.

  2. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  3. In the MMC Console, in the menu at the top of the page, click File > Add/Remove Snap-in.

    MMC Console

  4. In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates and then, click Add.

    MMC Console - Add or Remove Snap-ins

  5. In the Certificates snap-in window, select Computer account and then, click Next.

    MMC Console - Certificates snap-in

  6. In the Select Computer window, select Local computer: (computer this console is running on), and then, click Finish.

    MMC Console - Select Computer

  7. In the Add or Remove Snap-ins window, click OK.

  8. In the MMC Console, in the console tree, expand Certificates (Local Computer) > Personal, and then, click Certificates.

    MMC Console

  9. In the center section, right-click on your newly installed SSL Certificate and then, click All Tasks > Export to open the Certificate Export Wizard.

  10. In the Certificate Export Wizard, on the Welcome to the Certificate Export Wizard page, click Next.

  11. On the Export Private Key page, select Yes, export the private key, and then, click Next.

    MMC Console - Certificate Export Wizard - Export Private Key

  12. On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX), check Include all certificates in the certification path if possible and Export all extended properties, and then, click Next.

    Warning:    Do not check Delete the private key if the export is successful.

    MMC Console - Certificate Export Wizard - Export File Format

  13. On the Security page, check Password, enter and confirm your password, and then, click Next.

    MMC Console - Certificate Export Wizard - Security

  14. On the File to Export page, click Browse and browse to and select where you want to save the certificate .pfx file, name the file, and then, click Save.

    Make sure to note the filename and the location where you saved your file.
    If you only enter the filename without selecting a location, your file is saved to the following location: C:\Windows\System32.

    MMC Console - Certificate Export Wizard - File to Export

  15. On the File to Export page, click Next.

  16. On the Completing the Certificate Export Wizard page, verify that the settings are correct and then, click Finish.

    MMC Console - Certificate Export Wizard - Completing the Certificate Export Wizard

  17. You should receive "The export was successful" message.

    Now that you have successfully exported the SSL Certificate as a .pfx file, use the Microsoft Management Console (MMC) to import the SSL Certificate in to AD FS Personal Store.

 

iii. Using the MMC to Import the SSL Certificate .pfx File in to the AD FS Personal Store

  1. In the MMC Console, in the menu at the top, click File > Add/Remove Snap-in.

    MMC Console

  2. In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates and then, click Add.

    MMC Console - Add or Remove Snap-ins

  3. In the Certificates snap-in window, select Service account and then, click Next.

    MMC Console - Certificates snap-in

  4. In the Select Computer window, select Local computer: (computer this console is running on), and then, click Next.

    MMC Console - Select Computer

  5. In the Certificate snap-in window, select AD FS Windows Service and then, click Finish.

    MMC Console - Certificate snap-in

  6. In the Add or Remove Snap-ins window, click OK.

  7. In the MMC Console, in the console tree, expand Certificates - Service (AD FS Windows Service) > Personal, and then, click Certificates.

    MMC Console

  8. Right-click on the center section and then click All Tasks > Import to open the Certificate Import Wizard.

  9. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.

  10. On the File to Import page, click Browse to browse to the SSL Certificate .pfx file that you exported earlier, select the file, and then, click Open.

    MMC Console - Certificate Import Wizard - File to Import

  11. On the File to Import page, click Next.

  12. On the Private key protection page, do the following thing and then, click Next:

    • In the Password box, enter the password you created to export your SSL Certificate as a .pfx file.

    • Check Mark this key as exportable.

    • Check Include all extended properties.

    MMC Console - Certificate Import Wizard - Private key protection

  13. On the Certificate Store page, make sure that Place all certificates in the following store is selected and the Certificate store box is populated with the Personal store, and then, click Next:

    MMC Console - Certificate Import Wizard - Certificate Store

  14. On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.

    MMC Console - Certificate Import Wizard - Completing the Certificate Import Wizard

  15. You should receive "The import was successful" message.

    Now that you have successfully imported the SSL Certificate .pfx file into AD FS Personal Store, use the AD FS management console to assign the SSL Certificate to the AD FS service.

 

iv. Using the AD FS Management Console to Assign the SSL Certificate to the AD FS Service

  1. On your Windows 2012/2012R2 AD FS server,open the AD FS management console as an admin.

    1. From the Windows Start screen, type ad fs management.

    2. Right-click on AD FS Management.

    3. In the menu at the bottom of the screen, click Run as administrator.

  2. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  3. In the AD FS Console window, in the console tree, expand Services, right-click on the Certificates folder, and select Set Service Communications Certificate.

    AD FS Management Console

  4. Now, in the Windows Security window, select the new SSL Certificate that you just imported in to the AD FS Personal Store in the previous section and then, click OK.

  5. In the AD FS Management window, a private key warning reminds you that the selected certificate’s private key must be accessible.

    This is a reminder that you need to ensure that the private key was correctly associated with your SSL Certificate during the installation process.

  6. Click OK.

    Your SSL Certificate should be successfully assigned to the AD FS Service.

 

v. Using PowerShell to Enable Your SSL Certificate

If you are renewing a certificate, or if you have more than one certificate in the AD FS Personal Store, you need tell the AD FS service which certificate to use. If you don’t, AD FS service may pick the wrong or expired certificate.

  1. On your Windows 2012/2012R2 AD FS server,open the AD FS management console as an admin.

    1. From the Windows Start screen, type ad fs management.

    2. Right-click on AD FS Management.

    3. In the menu at the bottom of the screen, click Run as administrator.

    4. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  2. In the AD FS Console window, in the console tree, expand Services, right-click on the Certificates folder, and select Set Service Communications Certificate.

    AD FS Management Console

  3. This time in the Windows Security window, select the new SSL Certificate that you just assigned to the AD FS Service in the previous section and then, click Click here to view certificate properties.

  4. In the Certificate window, on the Details tab, in the Show drop-down list, select Properties Only.

  5. In the list below, select Thumbprint.

  6. In the box below the list, copy the thumbprint.

  7. In a text editor, such as Notepad, paste the thumbprint and then remove all the spaces from the ends or middles of the thumbprint string.

  8. On your AD FS server, open Windows PowerShell as an admin.

    1. From the Windows Start screen, type Windows PowerShell.

    2. Right-click on Windows PowerShell.

    3. In the menu at the bottom of the screen, click Run as administrator.

    4. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  9. In the Administrator: Windows PowerShell window, run the following command:

    Set-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx
  10. Restart the AD FS Service.

  11. To confirm that the certificate is enabled, in PowerShell (run as administrator), run the following command:

    Get-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx
  12. Your SSL Certificate should now be enabled.

Test Your Installation

If your website is publicly accessible, our DigiCert® SSL Installation Diagnostics Tool can help you diagnose common problems.