ADFS and AD configuration is very easy these days with Azure Virtual Machine. I configured AD on Azure VM with Windows Server 2012 R2 and now was the turn to configure ADFS 3.0.
The other way of generating self signed certificate is to use below command using Visual Studio Developer Tools in admin mode and following command to create certificate.-
makecert -sky exchange -r -n "CN=CertificateName" -pe -a sha1 -len 2048 -ss My "CertificateName.cer"
When I selected this certificate on ADFS Federation Configuration Wizard then I received an error as - The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
Then I copied this .ps1 file to c:\kunal folder. Now open powershell window as admin mode and fire below commands in Powershell to generate the certificate .pfx file which would be compatible.
PS C:\kunal> . \New-SelfSignedCertificateEx
PS C:\kunal> New-SelfSignedCertificateEx -Subject "CN=mycert.cloudapp.net" -EKU "Server Authentication" -KeyUsage 0xa0 -StoreLocation "LocalMachine" -ProviderName "Microsoft Strong Cryptographic Provider" -Exportable
The generated certificate can be exported from Certificate store of local machine as described in the below link - http://sanganakauthority.blogspot.in/2012/02/install-certificate-in-local-computer.html
Use this certificate in ADFS configuration and you should be good go ahead.
In case above way of adding the script in Powershell .\New-SelfSignedCertificateEx do not work, you can simply import using Import-Module. Run below command -
PS C:\kunal> Import-Module .\New-SelfSignedCertificateEx
After this run above main command to create the certificate.
Hope this helps.
Hi, great article :)
ReplyDeleteHowever, I also have problems regarding the certificate: There is already a certificate in the local machine store with the cloudservice name, and the key is not exportable.
When I execute the script mentioned in your article, nothing happens... The "old" certificate is still there with a non-exportable private key.
(This is on all Azure VMs. They do all have a certificate with Server Authentication in the local machine store).
Any ideas?
Hi,
ReplyDeleteI have the same problem, and that how I solved it:
1) First of all, it's seems that you could perform import function not from every folder. Firstly I did it from D drive (I use Azure VM as well) and it has no effect. Then I move the script to the C:\Users\MyUserName folder .
2) To import function, run . .\New-SelfSignedCertificateEx.ps1 instead of . .\New-SelfSignedCertificateEx . It mentions in https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6/view/Discussions#content in comments ( comment from Vadims Podans, August 07, 2015 )
After those steps all work correctly.
btw, great post!
Thank you!
You can't skip the step of running
ReplyDelete. .\New-SelfSignedCertificateEx
I'd advise reviewing the providers before creating the certificate.
ReplyDeletehttps://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx
Thanks for sharing such informative data.
ReplyDeleteDedicated Servers in India | Cheap Dedicated Hosting India | Dedicated Hosting companies India
Great Article.. It helped lot.
ReplyDeleteFollowed exactly same procedure with some tweaks mentioned by Hleb Loika.
Thank You Guys