This is the one with the Web Application Proxy, MFA etc.
So first off, I need a self-signed certificate.
As per the lab, I need a self-signed certificate with SAN e.g.
- Subject Name (CN): adfs1.contoso.com
- Subject Alternative Name (DNS): adfs1.contoso.com
- Subject Alternative Name (DNS): enterpriseregistration.contoso.com
So what tools are on the box. Oh, frabjous joy - there's a PowerShell command:
which is available on Windows 8 and Windows Server 2012.
OK - so try to install ADFS and it complains that the certificate is a CNG (Certificate Next Generation) one which ADFS doesn't support.
WTF? - the new ADFS doesn't support the latest standard? Is this not a security system?
My normal way of generating self-signed certificates is to use SelfSSL7.
But this doesn't run on Server 2012 because it uses .NET 4.5 and SelfSSL7 requires .NET 3.5.
So the options are:
- Add the .NET 3.5 role to the server
- Download the source and recompile for .NET 4.5
- Create on a Windows 7 box and export
- Use another tool e.g. makecert
SelfSSL7 by default does all the IIS SSL binding and this version of ADFS does not use IIS.
So my command was:
selfssl7 /N cn=adfs.domain.com;cn=adfs.domain.com;cn=enterpriseregistration.adfs.domain.com /K 1024 /V 700 /T /X /F c:\xxx\cert.pfx /W password
i.e. just create a pfx file.
Then import the pfx file into the local certificate store - the same one that New-SelfSignedCertificate would have used i.e.
New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My