1
00:00:03,070 --> 00:00:07,420
Now let's talk about the different types of certificates used by HDFC.

2
00:00:08,350 --> 00:00:14,530
When you configure HDFC, you need to have at least one certificate already created and that's the SSL

3
00:00:14,530 --> 00:00:20,050
certificate used to secure the web service traffic for communications with clients and Web application

4
00:00:20,050 --> 00:00:20,620
proxy.

5
00:00:21,500 --> 00:00:25,760
It's the same type of certificate you would use in Internet Information Services.

6
00:00:26,660 --> 00:00:33,020
The SSL certificate needs to be trusted by client computers, so it should be signed by a trusted certificate

7
00:00:33,020 --> 00:00:34,940
authority like a public key.

8
00:00:35,800 --> 00:00:40,360
If you're just creating a testing environment, you could use a self signed certificate.

9
00:00:41,250 --> 00:00:46,350
But you'll need that certificate installed on client computers and servers accessing ADF's.

10
00:00:47,280 --> 00:00:52,200
If you're working in a corporate environment, you could also use a certain issued by Active Directory

11
00:00:52,200 --> 00:00:57,420
Certificate Services because the domain joint computers will have the root certificate installed from

12
00:00:57,420 --> 00:00:58,830
the certificate authority.

13
00:00:58,980 --> 00:01:01,560
And that's what we're going to do in the demo environment.

14
00:01:02,460 --> 00:01:08,580
Wild card certificates are supported for the ADF's SSL certificate and it's recommended to use the same

15
00:01:08,580 --> 00:01:14,320
SSL certificate across all nodes of your ADF's form and for the web application proxy servers.

16
00:01:14,340 --> 00:01:18,720
Also, you'll need the private key included in this certificate.

17
00:01:19,620 --> 00:01:25,770
If you want to change the SSL certificate after the ADFA server or farm is set up, you need to do that

18
00:01:25,770 --> 00:01:26,790
through PowerShell.

19
00:01:27,660 --> 00:01:31,120
There are some subject alternative names needed on this certificate.

20
00:01:31,140 --> 00:01:38,010
Also, if you plan to use on premises, device registration or certificate authentication by default,

21
00:01:38,010 --> 00:01:42,840
the SSL certificate is also used as the service communication certificate.

22
00:01:43,720 --> 00:01:48,790
But you can change this after configuration by using the ADF FFS admin interface.

23
00:01:49,690 --> 00:01:55,390
This is actually a server authentication certificate and it's used when setting up a federation between

24
00:01:55,390 --> 00:01:56,440
organisations.

25
00:01:57,310 --> 00:02:02,950
All the ADF, RFS servers in your own farm should use the same service communication certificate.

26
00:02:03,820 --> 00:02:09,460
The recommendation from Microsoft is to use the same certificate here that you used for SSL.

27
00:02:10,300 --> 00:02:16,360
A token signing certificate is required to digitally sign all security tokens that ADF produces and

28
00:02:16,360 --> 00:02:25,480
ADF's creates a self signed x 0.509 certificate with 2048 bit keys by default ADF as also renews the

29
00:02:25,480 --> 00:02:27,100
certificate automatically.

30
00:02:28,030 --> 00:02:33,100
So although you can import your own certificate if your organisation requires it, it's recommended

31
00:02:33,100 --> 00:02:35,740
to just use the default self signed certificate.

32
00:02:36,640 --> 00:02:42,220
The token signing certificate prevents attackers from altering or counterfeiting security tokens issued

33
00:02:42,220 --> 00:02:47,950
by ADF as it's just used to verify that the token hasn't been tampered with.

34
00:02:48,870 --> 00:02:55,590
So the token signing certificate doesn't encrypt the tokens, but there is another self signed certificate

35
00:02:55,590 --> 00:02:59,430
created by ad fs called the token decrypting certificate.

36
00:03:00,330 --> 00:03:06,030
The public key of the token decryption certificate and the public key of the signing cert are both published

37
00:03:06,030 --> 00:03:12,390
in the Federation Metadata XML file that's accessible on a standard web address of your ADF server.

38
00:03:13,290 --> 00:03:18,780
So when you configure in ADF's server in a partner organisation or a relying party application that

39
00:03:18,780 --> 00:03:25,170
uses ADF face, those keys are available to the other ADF's server or the application framework in order

40
00:03:25,170 --> 00:03:30,840
to be able to verify the signature of the tokens as well as for partner organisations to sign the tokens

41
00:03:30,840 --> 00:03:32,800
they issue to your ADF's server.

42
00:03:32,820 --> 00:03:39,900
In a federation scenario, the token decryption certificate is then used on your ADF server to decrypt

43
00:03:39,900 --> 00:03:41,880
the tokens using the private key.

44
00:03:42,780 --> 00:03:48,690
Now let's generate an SSL certificate to use when configuring a DFS in the upcoming demo.