Checklist: Configuring Certificates for a Federation Server

Applies To: Windows Server 2008

This checklist includes the deployment tasks for configuring certificates on a federation server running Windows Server 2008 Enterprise.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist: Configuring certificates for a federation server

  Task Reference

Before you install the Federation Service role service on a computer that will become a federation server, read about the importance of obtaining and (for federation server farms) sharing a server authentication certificate and token-signing certificate across all the servers in the farm.

Certificate Requirements for Federation Servers

(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use Internet Information Services (IIS) 7.0 to acquire a sample certificate for your federation server.

Because IIS 7.0 generates a self-signed certificate that does not originate from a commonly trusted source, use it to create a self-signed certificate only in the following scenarios:

  • When you have to create a Secure Sockets Layer (SSL) channel between your server and a limited, known group of users

  • When you have to troubleshoot third-party certificate problems

Caution
It is not a security best practice to deploy a federation server in a production environment using a self-signed server authentication certificate.

IIS 7.0: Create a Self-Signed Server Certificate in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkID=108271)

(Optional) As an alternative to obtaining a token-signing certificate from a CA, you can use the Add Roles Wizard (during the installation of the Federation Service role service) to create a self-signed, token-signing certificate automatically, or you can use the MakeCert.exe tool to acquire this certificate for your federation server.

The MakeCert tool generates X.509 root certificates. It is typically used for testing purposes.

Warning

It is not a security best practice to deploy a federation server in a production environment using a self-signed, token-signing certificate.

Create a Self-Signed, Token-Signing Certificate

(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) and then import it into the personal store of the local federation server computer.

Exporting the private key is not required when your issued token-signing certificate can be reused by multiple computers (without the need to export) or when you will obtain unique token-signing certificates for each federation server in the farm.

Export the private key portion of a token-signing certificate (http://go.microsoft.com/fwlink/?LinkId=75068)

Import a certificate (http://go.microsoft.com/fwlink/?LinkId=108290)

(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing server authentication certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate.

Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm.

Export the Private Key Portion of a Server Authentication Certificate

After you obtain a server authentication certificate (or private key), you must then import the certificate file to the default Web site for each federation server.

Import a Server Authentication Certificate to the Default Web Site

Go back to the main federation server checklist, and proceed to the next task (Install the Federation Service role service).

Checklist: Installing a Federation Server