添加令牌解密证书Add a Token-Decrypting Certificate

-在将新的证书设置为主解密证书后,如果信赖方联合服务器必须对使用较旧证书颁发的令牌进行解密,则联合服务器将使用令牌解密证书。Federation servers use a token-decryption certificate when a relying party federation server must decrypt tokens that are issued with an older certificate after a new certificate is set as the primary decryption certificate. Active Directory 联合身份验证服务 ( AD FS ) 使用 ( Internet Information Services IIS 的安全套接字层 SSL ) 证书 ( ) 作为默认的解密证书。Active Directory Federation Services (AD FS) uses the Secure Sockets Layer (SSL) certificate for Internet Information Services (IIS) as the default decryption certificate.

注意

用于令牌解密的证书对于 - 联合身份验证服务的稳定性至关重要。Certificates used for token-decrypting are critical to the stability of the Federation Service. 由于为此目的配置的任何证书丢失或未计划删除都可能中断服务,因此应备份任何为此目的配置的证书。Because loss or unplanned removal of any certificates configured for this purpose can disrupt service, you should backup any certificates configured for this purpose.

你可以使用以下过程将令牌 - 解密证书添加到 - 已导出文件中的 AD FS 管理 "管理单元。You can use the following procedure to add the token-decrypting certificate to the AD FS Management snap-in from a file that you have exported.

若要完成此过程,至少需要是本地计算机上的管理员组或等效组中的成员。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 有关使用适当帐户和组成员身份的详细信息,请参阅本地和域默认组 ( http: / / go.microsoft.com / fwlink / ?LinkId = 83477 ) 。Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

添加令牌 - 解密证书To add a token-decrypting certificate

  1. 在 "开始" 屏幕上,键入 "AD FS 管理",然后按 enter。On the Start screen, typeAD FS Management, and then press ENTER.

  2. 在控制台树中,双击 - "服务",然后单击 "证书"。In the console tree, double-click Service, and then click Certificates.

  3. 在 "操作" 窗格中,单击 "添加令牌 - 解密证书" 链接。In the Actions pane, click the Add Token-Decrypting Certificate link.

  4. 在 "浏览证书文件" 对话框中,导航到要添加的证书文件,选择证书文件,然后单击 "打开"。In the Browse for Certificate file dialog box, navigate to the certificate file that you want to add, select the certificate file, and then click Open.

其他参考Additional references

清单:设置联合服务器Checklist: Setting Up a Federation Server

联合服务器的证书要求Certificate Requirements for Federation Servers