SOLVED
Home

ADFS - Windows Server 2016 - CNG key support?

%3CLINGO-SUB%20id%3D%22lingo-sub-75483%22%20slang%3D%22en-US%22%3EADFS%20-%20Windows%20Server%202016%20-%20CNG%20key%20support%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-75483%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20ADFS%202016%20add%20support%20for%20SSL%20certificates%20with%20CNG%20keys%3F%3C%2FP%3E%3CP%3EFor%20Windows%20Server%202012R2%20the%20answer%20was%20clear%3A%20No%3C%2FP%3E%3CP%3EFor%20ADFS%202016%20nothing%20is%20mentioned%20on%20the%20documentation%20(WS2012R2%20docuemtation%20was%20way%20better)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20not%2C%20whats%20the%20best%20approach%20to%20get%20a%20SSL%20certificate%20%2F%20CSR%20with%20a%26nbsp%3B%3CSPAN%3E%20signature%20algorithm%20other%20than%20sha1.%20%3C%2FSPAN%3ESince%20browser%20will%20soon%20stop%20trusting%20them%20the%20SSL%20cert%20should%20have%20sha256%2B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECreating%20a%20CSR%20with%20legacy%20keys%20in%20IIS%20or%20Certificate%20MMC%20creates%20the%20CSR%20with%20sha1....%20only%20with%20CNG%20keys%20you%20can%20choose%20sha256%2B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76834%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Windows%20Server%202016%20-%20CNG%20key%20support%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76834%22%20slang%3D%22en-US%22%3EGreat%20work%2C%20Alexander!%20Thank%20for%20coming%20back%20and%20ensuring%20other%20users%20will%20see%20your%20solution.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76822%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Windows%20Server%202016%20-%20CNG%20key%20support%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76822%22%20slang%3D%22en-US%22%3E%3CP%3EResearch%20and%20testing%20done%3A%20YES%20ADFS2016%20added%20support%20for%20SSL%20certificates%20with%20CNG%20keys.%3C%2FP%3E%3CP%3EBut%20you%20could%20also%20create%20a%20cert%20with%20legacy%20keys%20and%20good%20signature%20algorithm%20by%20using%20certutil.exe%20(good%20if%20for%20%26lt%3B%20ADFS2016%20when%20CNG%20keys%20are%20not%20supported%20but%20signature%20algorithm%20should%20be%20good)%3C%2FP%3E%3CP%3EYou%20can%20also%20convert%20CNG%20to%20legacy%20with%20certutil.exe%3C%2FP%3E%3C%2FLINGO-BODY%3E
Alexander Filipin
Occasional Contributor

Did ADFS 2016 add support for SSL certificates with CNG keys?

For Windows Server 2012R2 the answer was clear: No

For ADFS 2016 nothing is mentioned on the documentation (WS2012R2 docuemtation was way better)

 

If not, whats the best approach to get a SSL certificate / CSR with a  signature algorithm other than sha1. Since browser will soon stop trusting them the SSL cert should have sha256+

 

Creating a CSR with legacy keys in IIS or Certificate MMC creates the CSR with sha1.... only with CNG keys you can choose sha256+

2 Replies
Solution

Research and testing done: YES ADFS2016 added support for SSL certificates with CNG keys.

But you could also create a cert with legacy keys and good signature algorithm by using certutil.exe (good if for < ADFS2016 when CNG keys are not supported but signature algorithm should be good)

You can also convert CNG to legacy with certutil.exe

Great work, Alexander! Thank for coming back and ensuring other users will see your solution.
Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies