Wednesday, October 02, 2013

ADFS : Problem with CNG certificates

Busy having a look at the latest ADFS 2.1 on Windows Server 2012 R2.

This is the one with the Web Application Proxy, MFA etc.

So first off, I need a self-signed certificate.

As per the lab, I need a self-signed certificate with SAN e.g.
  • Subject Name (CN): adfs1.contoso.com
  • Subject Alternative Name (DNS): adfs1.contoso.com
  • Subject Alternative Name (DNS): enterpriseregistration.contoso.com
Hmm - problem.

So what tools are on the box. Oh, frabjous joy - there's a PowerShell command:

New-SelfSignedCertificate 

which is available on Windows 8 and Windows Server 2012.

OK - so try to install ADFS and it complains that the certificate is a CNG (Certificate Next Generation) one which ADFS doesn't support.

WTF? - the new ADFS doesn't support the latest standard? Is this not a security system?

My normal way of generating self-signed certificates is to use SelfSSL7.

But this doesn't run on Server 2012 because it uses .NET 4.5 and SelfSSL7 requires .NET 3.5.

So the options are:
  • Add the .NET 3.5 role to the server
  • Download the source and recompile for .NET 4.5
  • Create on a Windows 7 box and export
  • Use another tool e.g. makecert
But there's another problem:

SelfSSL7 by default does all the IIS SSL binding and this version of ADFS does not use IIS.

So my command was:

selfssl7 /N cn=adfs.domain.com;cn=adfs.domain.com;cn=enterpriseregistration.adfs.domain.com /K 1024 /V 700 /T /X /F c:\xxx\cert.pfx /W password

i.e. just create a pfx file.

Then import the pfx file into the local certificate store - the same one that New-SelfSignedCertificate would have used i.e.

New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My

Enjoy!






No comments: