匯出伺服器驗證憑證的私人鍵部分Export the Private Key Portion of a Server Authentication Certificate

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Active Directory 同盟服務 (AD FS) 發電廠每個聯盟伺服器必須私密金鑰伺服器驗證憑證的存取。Every federation server in an Active Directory Federation Services (AD FS) farm must have access to the private key of the server authentication certificate. 如果您正在實作伺服器陣列聯盟伺服器或網頁伺服器,您必須單一驗證憑證。If you are implementing a server farm of federation servers or Web servers, you must have a single authentication certificate. 必須核發此憑證的企業憑證授權單位 (CA),而且它必須匯出私密金鑰。This certificate must be issued by an enterprise certification authority (CA), and it must have an exportable private key. 伺服器驗證憑證的私密金鑰必須匯出,它可提供陣列中所有的伺服器。The private key of the server authentication certificate must be exportable so that it can be made available to all the servers in the farm.

此相同的概念是如此聯盟伺服器 proxy 農場陣列中的所有聯盟伺服器 proxy,必須都共用相同的伺服器驗證憑證的私密部分據用量感知器中。This same concept is true of federation server proxy farms in the sense that all federation server proxies in a farm must share the private key portion of the same server authentication certificate.

注意

AD FS 管理 snap\ 中稱為伺服器驗證憑證的聯盟伺服器服務通訊的憑證。The AD FS Management snap-in refers to server authentication certificates for federation servers as service communication certificates.

根據這台電腦將會播放的角色,使用此程序聯盟伺服器電腦或聯盟 proxy 伺服器的電腦上安裝伺服器驗證憑證的私密金鑰位置。Depending on which role this computer will play, use this procedure on the federation server computer or federation server proxy computer where you installed the server authentication certificate with the private key. 當您完成程序時,您可以再匯入這個預設網站發電廠中每個伺服器上的憑證。When you finish the procedure, you can then import this certificate on the Default Web Site of each server in the farm. 如需詳細資訊,請查看匯入伺服器驗證憑證的預設網站For more information, see Import a Server Authentication Certificate to the Default Web Site.

資格在系統管理員,或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

若要匯出金鑰的私密部分伺服器驗證憑證To export the private key portion of a server authentication certificate

  1. [開始]畫面中,輸入(IIS) 管理員],然後按 ENTER 鍵。On the Start screen, typeInternet Information Services (IIS) Manager, and then press ENTER.

  2. 主控台中,按一下 [電腦名稱In the console tree, click ComputerName.

  3. 在中央窗格中,按一下 double*伺服器的憑證In the center pane, double-click **Server Certificates*.

  4. 在中央窗格中,按一下您要匯出,然後按一下 [的憑證 right*匯出In the center pane, right-click the certificate that you want to export, and then click **Export*.

  5. 匯出憑證對話方塊中,按...In the Export Certificate dialog box, click the 按鈕。button.

  6. 檔案名稱,輸入C:\NameofCertificate,然後按一下開放In File name, type C:\NameofCertificate, and then click Open.

  7. 輸入憑證的密碼、確認,請然後按一下[確定]Type a password for the certificate, confirm it, and then click OK.

  8. 以確認您所指定的檔案,在指定的位置建立驗證您匯出的成功。Validate the success of your export by confirming that the file you specified is created at the specified location.

    重要

    讓這個憑證可匯入到新的伺服器的憑證本機存放區,您必須將檔案傳送到實體媒體,並期間傳輸到新的伺服器保護其安全。So that this certificate can be imported to the local certificate store on the new server, you must transfer the file to physical media and protect its security during transport to the new server. 請務必非常使私密金鑰的安全性。It is extremely important to guard the security of the private key. 受到此機碼,如果您的整個 AD FS 部署的安全性 \ 受到(包括資源資源合作夥伴 organizations\ 與在組織中)。If this key is compromised, the security of your entire AD FS deployment (including resources within your organization and in resource partner organizations) is compromised.

  9. 安裝同盟服務之前,請匯出的伺服器驗證憑證匯入新的伺服器上的憑證存放區。Import the exported server authentication certificate into the certificate store on the new server before you install the Federation Service. 了解如何匯入憑證的資訊,會看到匯入伺服器的憑證 \ (http:////go.microsoft.com/fwlink/ 嗎?LinkId\ = 108283)。For information about how to import the certificate, see Import a Server Certificate (http://go.microsoft.com/fwlink/?LinkId=108283).

其他參考資料Additional references

檢查清單︰ 設定聯盟伺服器Checklist: Setting Up a Federation Server

檢查清單︰ 聯盟 Proxy 伺服器設定Checklist: Setting Up a Federation Server Proxy

聯盟伺服器的憑證需求Certificate Requirements for Federation Servers

聯盟的 Proxy 伺服器的憑證需求Certificate Requirements for Federation Server Proxies