If you ever need to create a CA signed certificate for active directory, follow this procedure for each domain controller.
#Create a file called request.inf in the c:\temp directory
;—————– request.inf —————– [Version] Signature=”$Windows NT$ [NewRequest] Subject= "CN=yourFQDN, OU=YourCompany, O=YourDepartment, L=YourCity, S=YourState, C=US." KeySpec = 1 KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=126.96.36.199.188.8.131.52.1 ; this is for Server Authentication [RequestAttributes] Hashalgorithm = sha256 ;———————————————–
Then run the following commands:
certreq.exe -new .\request.inf youserver.domain.2015.req
#wait for certificate from CA
certreq.exe -Accept .\yourservername_yourdomain_edu-2015-SHA2.cer
#The certreq utility will put this cert in the personal store of the local computer. I open up both the local computer certificate store, as well as the certificate store for “Active Directory Domain Services”. Once both personal stores are open, I simply drag the certificate into the “Active Directory Domain Services” personal store. Make sure you open up the cert and verify the certificate chain is ok etc. Active Directory will immediately see the new certificate and start using it if it is expire date is newer than the previous cert. So you don’t have to remove the old cert first.
This process has been tested on Active Directory 2008 R2
Environment Verified On: Exchange 2013 CU9, ADFS 3.0, all running Windows Server 2012 R2
If you are currently running Exchange Server 2013 and ADFS, you will have to replace your token-signing certificate every year by default, unless you disable the auto certificate rollover feature of ADFS. In older versions of Exchange (I am currently running Exchange 2013 CU9), you could only assign 1 Adfs Token-Signing Certificate Thumprint. This made it difficult for Exchange to trust the new certificate because you could only trust 1 at time. Now -AdfsSignCertificateThumprints parameter for the Set-OrganizationConfig is multi-valued. Simply save both the “Primary” and “Secondary” token-signing thumbprints generated by the below command, and then apply them to your Exchange Organization Config.
#Run this powershell command on your primary ADFS server
Get-ADFSCertificate -CertificateType “Token-signing”
#Run this powershell command from one of your Exchange 2013 CAS servers, or machine with Exchange SnapIn functionality
Set-OrganizationConfig -AdfsSignCertificateThumbprints 133FC5293DFD48BC8E395D3EECBB0E9C9486EE14,EBB6F27D02F46CD0ED2F5C743672B93A845B4C01
- Open the adfs management console
- View the new primary token signing certificate.
- Export this certificate to a file
- Import this certificate file on each CAS server
- Add this cert to the trusted root certificate authority store under the machine account
- Use your load balancer to isolate each CAS server, and then reboot them 1 at a time
Now when ADFS rolls the Secondary certificate to Primary, Exchange will automatically trust the new Primary Cert,and OWA access will continue to function as normal without any downtime.