It is important to understand that when correctly configuring ADFS 2.0 (Active Directory Federated Services) is the SSL certificate if you are using it for Office 365 or for any other purpose. You should be installing ADFS on a Windows 2008 R2 server and it should be fully patched. From the server that will be the primary ADFS server in the ADFS server farm you need to create the CSR. You do not use the IIS certificate manager. The certificate can be generated via certutil.exe or the Exchange commandlets but the GUI (Graphical User Interface) is the simplest approach for many people. Advice not to use a self-signed certificate or you will be cleaning up a mess when you finally move things into production.

Creating the CSR

In order to generate the certificate CSR (Certificate Signing Request) for ADFS (Active Directory Federation Services) you have to use the certificate manager MMC (Microsoft Management Console) snapin or run certmgr.msc. This will open the certificate repository. Right click on the Personal store and select All Tasks, Advanced Operations, Create Custom Request. This will start the wizard.

certmgr Configuring SSL Certs

Click Next and then overcome the first challenge. In the Certificate Enrollment Policy screen, click and highlight Proceed without enrollment policy

Configuring SSL certificate enrollment

Change the Template Option to Legacy Key

Configuring SSL certificate enrollment

Configuring SSL certificate enrollment

Settings for ADFS 2.0 SSL certificates

An ADFS 2.0 SSL certificate has a couple of critical settings.

The URL of the ADFS server must be set as in Subject Name of the certificate and should be set as a common name or CN. You can utilize a SAN certificate (Subject Alternate Name certificate) if you like to cover the other server names but the Subject Name on the certificate will become the service name in ADFS so don’t mess it up.

The Key Length must be 2048 or higher.

The Private Key must be exportable.

Don’t set the Subject Name be the same as the server.

You can configure the certificate via the Properties before clicking Next. Add the subject name and any other server names using the Directory Name type. Set Server Authentication and Client Authentication in Enhanced Key Usage. Update the private key and the key length as well.

Configuring SSL Certificate properties

Installing the Cert

Once you click OK, move on to the export of the key. Upload the CSR to your favorite CA. When you install the cert you can continue with the ADFS configuration. Based on a quirk with permission on private keys and how Microsoft does the certificate requests and storage, you might receive an error such as an Event ID 133. The ADFS service account needs permissions to read the private key and the private key needs to be in the same store as the certificate.