Certificate for ADFS

Hi!

I am currently implementing an Exchange Server 2013 which will coexist with 320 Exchange Online User Accounts.

So far, we have already done the following.

  1. Installed Exchange Server 2013 and installed the SSL certificate (mail.company.com)
  2. Exchange is now up, can connect with Outlook 2013 and via OWA.
  3. Setup ADFS and ADFS Proxy for SSO.

However, this is were i got stuck. Upon checking in this link, https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx?f=255&MSPPError=-2147217396, it says "Subject name and subject alternative name must contain your federation service name, such as fs.contoso.com".

Is there a way for me to change the Subject Name of my certificate to fs.company.com without messing up with what is already configured in my mail server? Or should I be using another certificate?

Kindly help me on this.

July 29th, 2015 2:29am

Hi,

You will needs to generate a new cert with the fs.company.com in it. That's the best way to fix your problem.

Free Windows Admin Tool Kit Click here and download it now
July 29th, 2015 2:56am

Hi,

You will needs to generate a new cert with the fs.company.com in it. That's the best way to fix your problem.

July 29th, 2015 6:54am

Hi,

You will needs to generate a new cert with the fs.company.com in it. That's the best way to fix your problem.

Free Windows Admin Tool Kit Click here and download it now
July 29th, 2015 6:54am

Hi,

You will needs to generate a new cert with the fs.company.com in it. That's the best way to fix your problem.

July 29th, 2015 6:54am

Hi,

You will needs to generate a new cert with the fs.company.com in it. That's the best way to fix your problem.

Free Windows Admin Tool Kit Click here and download it now
July 29th, 2015 6:54am

Hi,

You will needs to generate a new cert with the fs.company.com in it. That's the best way to fix your problem.

July 29th, 2015 6:54am

Hi,

According to Microsoft document, Server authentication certificate (SSL)is used to secure  Web traffic for communication with Web clients or with federation server proxies, while token signing certificate is an X509 certificate, its associated public/private key pair is used by federation servers to digitally sign all security tokens that they produce.

As additional, here's an blog about ADFS Certificates - SSL, Token Signing, and Client Authentication Certs:
http://blogs.technet.com/b/adfs/archive/2007/07/23/adfs-certificates-ssl-token-signing-and-client-authentication-certs.aspx

Thanks

Free Windows Admin Tool Kit Click here and download it now
July 30th, 2015 2:44am

Hello 

You already have the information that for ADFS, subject name must match the name in ADFS configuration. Means subject name in certificate should be same as in URL. 

Another thing, it may be possible you can change your existing certificate for Subject name, although this name also present in Subject Alternative names. Exchange do not have such requirement that SAN name should be in Subject Name. But you need to replace certificate after you got new certificate.

July 30th, 2015 6:10am

Thank you guys for your answers.

Well I just wanted to be sure.

Thanks again!

Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2015 11:22pm

Thank you guys for your answers.

Well I just wanted to be sure.

Thanks again!

August 3rd, 2015 11:22pm

Hi Prem!

Thanks for your answer.

Well, do you have a guide that could help me this?

Thanks!

Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2015 11:29pm

Hi Prem!

Thanks for your answer.

Well, do you have a guide that could help me this?

Thanks!

August 3rd, 2015 11:29pm

Hi Prem,

Can I still use the certificate I used for Exchange in my ADFS Server? Or should I purchase another SSL Certificate for my ADFS Server/Proxy?

I have tried to change it but the SAN won't add. I'm using a 3 year standard SSL Certificate from GoDaddy.

I'm really stuck. Please help me.

Thanks!

Free Windows Admin Tool Kit Click here and download it now
August 11th, 2015 3:40am

Hello Khay

Generally it is possible and cheaper to add the SAN name and Common name to existing certificate. But if the 3rd party certificate authority is not ready to do so, you can order a new certificate.

You can use the below powershell to to Generate CSR (Certificate Signing Request) from an Exchange Server.

New-ExchangeCertificate -GenerateRequest -SubjectName "l=Location, s=State, c=Country, o=ABC Pvt. Ltd., cn=smtp.abc.com" -DomainName mail.abc.com,  -PrivateKeyExportable $true

or you can follow the below guide I have uploaded for you specially.

https://ranaprem.wordpress.com/2015/08/10/how-to-create-csr-and-order-a-3rd-party-ssl-certificate/

Let me know in case you need more help on this.

August 11th, 2015 4:21am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics