Export the public key portion of a token-signing certificate

Applies To: Windows Server 2003 R2

A token-signing certificate is used by an Active Directory Federation Services (ADFS) federation server to digitally sign all security tokens that it produces. Verification certificates are used by the server that receives the token to validate that the security token was issued by a trusted federation server and that the token was not modified. To provide verification certificates to servers that will be processing tokens issued by the trusted federation servers, you can export the public key portion of the token-signing certificate of a federation server that issues the tokens.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To export the public key portion of a token-signing certificate

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Right-click Federation Service, and then click Properties.

  3. On the General tab, under Token-signing certificate, click View.

  4. In the Certificate dialog box, click the Details tab.

  5. On the Details tab, click Copy to File.

  6. On the Welcome to the Certificate Export Wizard page, click Next.

  7. On the Export Private Key page, make sure that No, do not export the private key is selected, and then click Next.

  8. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

  9. On the File to Export page, specify the certificate file in File name, and then click Next.


    So that this certificate can be imported to other federation servers as a verification certificate, you will need to securely transfer the file to administrators in your organization and in the partner organization.

  10. On the Completing the Certificate Export Wizard page, click Finish.

  11. Validate success by checking to see that the file you specified was created at the specified location.

See Also


Rolling Over a Token-signing Certificate
Add a verification certificate to the trust policy
Add a verification certificate to an account partner