Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
SSL Installation steps:
a. Using the DigiCert Certificate Utility to Import the SSL Certificate to Your AD FS Server
After we validate and issue your SSL Certificate, you can use the DigiCert® Certificate Utility for Windows to import the file to your Microsoft Active Directory Federation Services server.
- On your Windows 2012/2012R2 AD FS server where you created the CSR, open the ZIP file containing your SSL Certificate and save the SSL Certificate file (i.e. your_domain_name.cer).
- Run the DigiCert® Certificate Utility for Windows. Double-click DigiCertUtil.
- In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Import.
- In the Certificate Import wizard, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that DigiCert sent you, select the file, click Open, and then, click Next.
- In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate. We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
- To import the SSL Certificate to your server, click Finish. Now that you have successfully imported the SSL Certificate to the server, use the DigiCert Certificate Utility to export the certificate as a .pfx file.
b. Using the DigiCert Certificate Utility to Export the SSL Certificate as a .pfx File
- Run the DigiCert® Certificate Utility for Windows. Double-click DigiCertUtil.
- In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL Certificate that you want to export, and then, click Export Certificate.
- In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, and then, click Next.
- In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next. Note: This password is used when you import the SSL Certificate onto other Windows type servers or other servers or devices that accept a .pfx file.
- In the File name box, click … to browse for and select the location and file name where you want to save the .pfx file, and then, click Finish.
- After you receive the “Your certificate and key have been successfully exported” message, click OK.
Now that you have successfully exported the SSL Certificate as a .pfx file, use the Microsoft Management Console (MMC) to import the SSL Certificate in to AD FS Personal Store.
c. Using the MMC to Import the SSL Certificate .pfx File into the AD FS Personal Store
- On your Windows 2012/2012R2 AD FS server,open the Microsoft Management Console (MMC) as an admin.
- From the Windows Start screen, type mmc.exe.
- Right-click on mmc.exe.
- In the menu at the bottom of the screen, click Run as administrator.
- In the User Account Control window, click Yes to allow the program to make changes to the computer.
- In the MMC Console, in the menu at the top, click File > Add/Remove Snap-in.
- In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates and then, click Add.
- In the Certificates snap-in window, select Service account and then, click Next.
- In the Select Computer window, select Local computer: (computer this console is running on), and then, click Next.
- In the Certificate snap-in window, select AD FS Windows Service and then, click Finish.
- In the Add or Remove Snap-ins window, click OK.
- In the MMC Console, in the console tree, expand Certificates – Service (AD FS Windows Service) > Personal, and then, click Certificates.
- Right-click on the center section and then click All Tasks > Import to open the Certificate Import Wizard.
- In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
- On the File to Import page, click Browse to browse to the SSL Certificate .pfx file that you exported earlier, select the file, and then, click Open.
- On the File to Import page, click Next.
- On the Private key protection page, do the following thing and then, click Next: 1. In the Password box, enter the password you created to export your SSL Certificate as a .pfx file. 2. Check Mark this key as exportable. 3. Check Include all extended properties.
- On the Certificate Store page, make sure that Place all certificates in the following store is selected and the Certificate store box is populated with the Personal store, and then, click Next:
- On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.
- You should receive “The import was successful” message. Now that you have successfully imported the SSL Certificate .pfx file into the AD FS Personal Store, use the AD FS management console to assign the SSL Certificate to the AD FS service.
d. Using the AD FS Management Console to Assign the SSL Certificate to the AD FS Service
- On your Windows 2012/2012R2 AD FS server, open the AD FS management console as an admin.
1. From the Windows Start screen, type ad fs management.
2. Right-click on AD FS Management.
3. In the menu at the bottom of the screen, click Run as administrator. - In the User Account Control window, click Yes to allow the program to make changes to the computer.
- In the AD FS Console window, in the console tree, expand Services, right-click on the Certificates folder, and select Set Service Communications Certificate.
- Now, in the Windows Security window, select the new SSL Certificate that you just imported in to the AD FS Personal Store in the previous section and then, click OK.
- In the AD FS Management window, a private key warning reminds you that the selected certificate’s private key must be accessible. This is a reminder that you need to ensure that the private key was correctly associated with your SSL Certificate during the installation process.
- Click OK. Your SSL Certificate should be successfully assigned to the AD FS Service.
e. Using PowerShell to Enable Your SSL Certificate
If you are renewing a certificate, or if you have more than one certificate in the AD FS Personal Store, you need to tell the AD FS service which certificate to use. If you don’t, AD FS service may pick the wrong or expired certificate.
- On your Windows 2012/2012R2 AD FS server, run the DigiCert® Certificate Utility for Windows. Double-click DigiCertUtil.
- In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), right-click on the SSL Certificate that you just assigned to the AD FS Service in the previous section, and then click Copy thumbprint to clipboard.
- In a text editor, such as Notepad, paste the thumbprint.
- On your AD FS server, open Windows PowerShell as an admin. 1. From the Windows Start screen, type Windows PowerShell. 2. Right-click on Windows PowerShell. 3. In the menu at the bottom of the screen, click Run as administrator. 4. In the User Account Control window, click Yes to allow the program to make changes to the computer.
- In the Administrator: Windows PowerShell window, run the following command: Set-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx
- Restart the AD FS Service.
- To confirm that the certificate is enabled, in PowerShell (run as administrator), run the following command: Get-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx
- Your SSL Certificate should now be enabled.
We hope this article helped you with this easy process. If you are unable to use these instructions, we recommend that you contact either the vendor of your software or the hosting organization that supports it.
Microsoft AD FS SSL installation Instructions
Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
SSL Installation steps:
a. Using the DigiCert Certificate Utility to Import the SSL Certificate to Your AD FS Server
After we validate and issue your SSL Certificate, you can use the DigiCert® Certificate Utility for Windows to import the file to your Microsoft Active Directory Federation Services server.
- On your Windows 2012/2012R2 AD FS server where you created the CSR, open the ZIP file containing your SSL Certificate and save the SSL Certificate file (i.e. your_domain_name.cer).
- Run the DigiCert® Certificate Utility for Windows.
Double-click DigiCertUtil. - In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Import.
- In the Certificate Import wizard, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that DigiCert sent you, select the file, click Open, and then, click Next.
- In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
- To import the SSL Certificate to your server, click Finish.
Now that you have successfully imported the SSL Certificate to the server, use the DigiCert Certificate Utility to export the certificate as a .pfx file.
b. Using the DigiCert Certificate Utility to Export the SSL Certificate as a .pfx File
- Run the DigiCert® Certificate Utility for Windows.
Double-click DigiCertUtil. - In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL Certificate that you want to export, and then, click Export Certificate.
- In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, and then, click Next.
- In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next.
Note: This password is used when you import the SSL Certificate onto other Windows type servers or other servers or devices that accept a .pfx file.
- In the File name box, click … to browse for and select the location and file name where you want to save the .pfx file, and then, click Finish.
- After you receive the “Your certificate and key have been successfully exported” message, click OK.
Now that you have successfully exported the SSL Certificate as a .pfx file, use the Microsoft Management Console (MMC) to import the SSL Certificate in to AD FS Personal Store.
c. Using the MMC to Import the SSL Certificate .pfx File into the AD FS Personal Store
- On your Windows 2012/2012R2 AD FS server,open the Microsoft Management Console (MMC) as an admin.
- From the Windows Start screen, type mmc.exe.
- Right-click on mmc.exe.
- In the menu at the bottom of the screen, click Run as administrator.
- In the User Account Control window, click Yes to allow the program to make changes to the computer.
- In the MMC Console, in the menu at the top, click File > Add/Remove Snap-in.
- In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates and then, click Add.
- In the Certificates snap-in window, select Service account and then, click Next.
- In the Select Computer window, select Local computer: (computer this console is running on), and then, click Next.
- In the Certificate snap-in window, select AD FS Windows Service and then, click Finish.
- In the Add or Remove Snap-ins window, click OK.
- In the MMC Console, in the console tree, expand Certificates – Service (AD FS Windows Service) > Personal, and then, click Certificates.
- Right-click on the center section and then click All Tasks > Import to open the Certificate Import Wizard.
- In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
- On the File to Import page, click Browse to browse to the SSL Certificate .pfx file that you exported earlier, select the file, and then, click Open.
- On the File to Import page, click Next.
- On the Private key protection page, do the following thing and then, click Next:
1. In the Password box, enter the password you created to export your SSL Certificate as a .pfx file.
2. Check Mark this key as exportable.
3. Check Include all extended properties.
- On the Certificate Store page, make sure that Place all certificates in the following store is selected and the Certificate store box is populated with the Personal store, and then, click Next:
- On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.
- You should receive “The import was successful” message.
Now that you have successfully imported the SSL Certificate .pfx file into the AD FS Personal Store, use the AD FS management console to assign the SSL Certificate to the AD FS service.
d. Using the AD FS Management Console to Assign the SSL Certificate to the AD FS Service
- On your Windows 2012/2012R2 AD FS server, open the AD FS management console as an admin.
1. From the Windows Start screen, type ad fs management.
2. Right-click on AD FS Management.
3. In the menu at the bottom of the screen, click Run as administrator. - In the User Account Control window, click Yes to allow the program to make changes to the computer.
- In the AD FS Console window, in the console tree, expand Services, right-click on the Certificates folder, and select Set Service Communications Certificate.
- Now, in the Windows Security window, select the new SSL Certificate that you just imported in to the AD FS Personal Store in the previous section and then, click OK.
- In the AD FS Management window, a private key warning reminds you that the selected certificate’s private key must be accessible.
This is a reminder that you need to ensure that the private key was correctly associated with your SSL Certificate during the installation process. - Click OK.
Your SSL Certificate should be successfully assigned to the AD FS Service.
e. Using PowerShell to Enable Your SSL Certificate
If you are renewing a certificate, or if you have more than one certificate in the AD FS Personal Store, you need to tell the AD FS service which certificate to use. If you don’t, AD FS service may pick the wrong or expired certificate.
- On your Windows 2012/2012R2 AD FS server, run the DigiCert® Certificate Utility for Windows.
Double-click DigiCertUtil. - In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), right-click on the SSL Certificate that you just assigned to the AD FS Service in the previous section, and then click Copy thumbprint to clipboard.
- In a text editor, such as Notepad, paste the thumbprint.
- On your AD FS server, open Windows PowerShell as an admin.
1. From the Windows Start screen, type Windows PowerShell.
2. Right-click on Windows PowerShell.
3. In the menu at the bottom of the screen, click Run as administrator.
4. In the User Account Control window, click Yes to allow the program to make changes to the computer. - In the Administrator: Windows PowerShell window, run the following command:
Set-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx - Restart the AD FS Service.
- To confirm that the certificate is enabled, in PowerShell (run as administrator), run the following command:
Get-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx - Your SSL Certificate should now be enabled.
We hope this article helped you with this easy process. If you are unable to use these instructions, we recommend that you contact either the vendor of your software or the hosting organization that supports it.