Jun 06 2017 11:10 AM
Did ADFS 2016 add support for SSL certificates with CNG keys?
For Windows Server 2012R2 the answer was clear: No
For ADFS 2016 nothing is mentioned on the documentation (WS2012R2 docuemtation was way better)
If not, whats the best approach to get a SSL certificate / CSR with a signature algorithm other than sha1. Since browser will soon stop trusting them the SSL cert should have sha256+
Creating a CSR with legacy keys in IIS or Certificate MMC creates the CSR with sha1.... only with CNG keys you can choose sha256+
Jun 09 2017 04:06 PM
SolutionResearch and testing done: YES ADFS2016 added support for SSL certificates with CNG keys.
But you could also create a cert with legacy keys and good signature algorithm by using certutil.exe (good if for < ADFS2016 when CNG keys are not supported but signature algorithm should be good)
You can also convert CNG to legacy with certutil.exe
Jun 09 2017 06:08 PM
Jun 09 2017 04:06 PM
SolutionResearch and testing done: YES ADFS2016 added support for SSL certificates with CNG keys.
But you could also create a cert with legacy keys and good signature algorithm by using certutil.exe (good if for < ADFS2016 when CNG keys are not supported but signature algorithm should be good)
You can also convert CNG to legacy with certutil.exe