Forum Discussion
ADFS - Windows Server 2016 - CNG key support?
Did ADFS 2016 add support for SSL certificates with CNG keys?
For Windows Server 2012R2 the answer was clear: No
For ADFS 2016 nothing is mentioned on the documentation (WS2012R2 docuemtation was way better)
If not, whats the best approach to get a SSL certificate / CSR with a signature algorithm other than sha1. Since browser will soon stop trusting them the SSL cert should have sha256+
Creating a CSR with legacy keys in IIS or Certificate MMC creates the CSR with sha1.... only with CNG keys you can choose sha256+
Research and testing done: YES ADFS2016 added support for SSL certificates with CNG keys.
But you could also create a cert with legacy keys and good signature algorithm by using certutil.exe (good if for < ADFS2016 when CNG keys are not supported but signature algorithm should be good)
You can also convert CNG to legacy with certutil.exe
2 Replies
Research and testing done: YES ADFS2016 added support for SSL certificates with CNG keys.
But you could also create a cert with legacy keys and good signature algorithm by using certutil.exe (good if for < ADFS2016 when CNG keys are not supported but signature algorithm should be good)
You can also convert CNG to legacy with certutil.exe
- DaniMartMS
Microsoft
Great work, Alexander! Thank for coming back and ensuring other users will see your solution.
