This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 10%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
So I am attempting to test a huge connection of my azure AD to my Local AD but I need an ADFS in my environment for Federated logins from AzureI am attempting to deploy one but it's asking for an SSL cert
I need support importing an SSL cert into my adfs
I own my domain name.
I can create a csr but there are no public facing CA's to push my request to.
My Domain is hosted inside of google.
Where do i go from here? I added the domain as Verified in Azure.
Solution: Self Signed my own Cert with my AD DC.
Thanks guys!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Agolphin , It would be great if you can mark the answer or upvote the ideas that you liked and those helped you in formulating the action plan, so that it helps others in the community too.
@Agolphin , The SSL certificate is termed as the Service Communication Certificate in ADFS and to set a Service Communication Certificate on ADFS, it needs to meet the following requirements:
Once you have the SSL issued to you fulfilling the above mentioned requirements, you are all set to update this SSL certificate as the Service Communication Certificate on the ADFS 2016 server, following the steps mentioned in this article.
If its a new deployment of ADFS 2016 farm, please follow the steps mentioned in this article.
Hope this helps.
---------------------------------------------------------------------------------------------------------------------------------------
Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!
I understand that part. I need to generate the SSL cert but ADFS and Microsoft's documentation specifically ask for a Public CA to sign it. My Issue is the Public CA. Let's encrypt is very convoluted.
Google doesn't have a public facing CA even though my domain is in google domains.
How would i get a CA to sign my CSR request? Or do I just sign it with my Local Domain controller?
@Agolphin , A SSL cert signed/issued by a Public CA is recommended in case of ADFS, is because, based on this certificate, the secure connection to ADFS server is made from any machine over the Internet. Hence the machine who is trying to connect to this ADFS server over SSL, should be able to validate the issuer of that certificate and also the root of that certificate. Thus the requirement of a public signed CA cert comes here.Once you create the CSR, you can also consider vendors like Digicert, VeriSign, Komodo and Thwat.
So theoretically speaking, I don't need a Public CA to sign my cert.
I COULD sign my cert with my ADDC, set him as the Root CA, create a cert with it as a Root CA and Import that Cert on all the machines I would connect to my domain with?
@Agolphin , Thats correct. You can surely use a certificate that is issued by your domain's CA server. Only overhead is that you will have to make that Root Cert of that CA server available to all the machines around the world from where the ADFS server would be accessed.
Hope this helps.
---------------------------------------------------------------------------------------------------------------------------------------
Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!
This helps me alot as I know how to sign my own SSL Cert.
I will use the documentation to test my infrastructure.
When you say make the Root CA available, if all of my machines are local and joined to the local domain, then I set a policy to install a root CA cert on the machine with group policy,
this should allow them to trust the SSL cert that will be installed after and contact the ADFS for federation since DC> AFDS. ADFS will make the request and my DC will sign it.
So when I link it to my Azure AD for Federation there, do I need to import the Azure AD Cert?
Yes, you are right. You can technically use self-signed certificate, but it's not recommended for production deployments. For testing/lab it's ok, I had self-signed certificate in my lab as well and just imported the CA root cert to my trusted root certs on my computer.
So if my computers dont leave the building I'm great?
Yes you are :-)
Last question.
Where do I get the CA root Cert or how do I generate one from my ADDC.
I'm using OpenSSL to sign my cert request from my adfs but I never understood their positions in my certificate store.
Nevermind. I set my ADDC as a CA and Signed my own Request from my ADFS.
I got this guys.