Enroll an SSL Certificate for AD FS
Applies To: Windows Server 2016, Windows Server 2012 R2
Active Directory Federation Services (AD FS) requires a certificate for Secure Socket Layer (SSL) server authentication on each federation server in your federation server farm. The same certificate can be used on each federation server in a farm. You must have both the certificate and its private key available. For example, if you have the certificate and its private key in a .pfx file, you can import the file directly into the Active Directory Federation Services Configuration Wizard. This SSL certificate must contain the following:
The subject name and subject alternative name must contain your federation service name, such as fs.contoso.com.
The subject alternative name must contain the value enterpriseregistration that is followed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.corp.contoso.com.
Specify the subject alternative name if you plan to enable the Device Registration Service (DRS) for Workplace Join.
If your organization uses multiple UPN suffixes, and you plan to enable the DRS, the SSL certificate must contain a subject alternative name entry for each suffix.