question

Agolphin-8124 avatar image
0 Votes"
Agolphin-8124 asked ·

Import SSL into ADFS for linking Azure AD to Local AD.

So I am attempting to test a huge connection of my azure AD to my Local AD but I need an ADFS in my environment for Federated logins from AzureI am attempting to deploy one but it's asking for an SSL cert

I need support importing an SSL cert into my adfs
I own my domain name.
I can create a csr but there are no public facing CA's to push my request to.
My Domain is hosted inside of google.
Where do i go from here? I added the domain as Verified in Azure.

azure-active-directoryadfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Agolphin-8124 avatar image
0 Votes"
Agolphin-8124 answered ·

Solution: Self Signed my own Cert with my AD DC.

Thanks guys!

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Agolphin-8124, It would be great if you can mark the answer or upvote the ideas that you liked and those helped you in formulating the action plan, so that it helps others in the community too.

0 Votes 0 ·
soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@Agolphin-8124, The SSL certificate is termed as the Service Communication Certificate in ADFS and to set a Service Communication Certificate on ADFS, it needs to meet the following requirements:

  1. The service communication certificate must include the server authentication enhanced key usage (EKU) extension.

  2. The certificate revocation lists (CRLs) must be accessible for all the certificates in the chain from the service communication certificate to the root CA certificate. The root CA must also be trusted by any federation server proxies and Web servers that trust this federation server.

  3. The subject name that is used in the service communication certificate must match the Federation Service name in the properties of the Federation Service.

Once you have the SSL issued to you fulfilling the above mentioned requirements, you are all set to update this SSL certificate as the Service Communication Certificate on the ADFS 2016 server, following the steps mentioned in this article.


If its a new deployment of ADFS 2016 farm, please follow the steps mentioned in this article.



Hope this helps.



Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

· 10 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I understand that part. I need to generate the SSL cert but ADFS and Microsoft's documentation specifically ask for a Public CA to sign it. My Issue is the Public CA. Let's encrypt is very convoluted.
Google doesn't have a public facing CA even though my domain is in google domains.

How would i get a CA to sign my CSR request? Or do I just sign it with my Local Domain controller?

0 Votes 0 ·

@Agolphin-8124, A SSL cert signed/issued by a Public CA is recommended in case of ADFS, is because, based on this certificate, the secure connection to ADFS server is made from any machine over the Internet. Hence the machine who is trying to connect to this ADFS server over SSL, should be able to validate the issuer of that certificate and also the root of that certificate. Thus the requirement of a public signed CA cert comes here.Once you create the CSR, you can also consider vendors like Digicert, VeriSign, Komodo and Thwat.

1 Vote 1 ·

So theoretically speaking, I don't need a Public CA to sign my cert.

I COULD sign my cert with my ADDC, set him as the Root CA, create a cert with it as a Root CA and Import that Cert on all the machines I would connect to my domain with?

0 Votes 0 ·
Show more comments