SOLVED

ADFS - Windows Server 2016 - CNG key support?

%3CLINGO-SUB%20id%3D%22lingo-sub-75483%22%20slang%3D%22en-US%22%3EADFS%20-%20Windows%20Server%202016%20-%20CNG%20key%20support%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-75483%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20ADFS%202016%20add%20support%20for%20SSL%20certificates%20with%20CNG%20keys%3F%3C%2FP%3E%3CP%3EFor%20Windows%20Server%202012R2%20the%20answer%20was%20clear%3A%20No%3C%2FP%3E%3CP%3EFor%20ADFS%202016%20nothing%20is%20mentioned%20on%20the%20documentation%20(WS2012R2%20docuemtation%20was%20way%20better)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20not%2C%20whats%20the%20best%20approach%20to%20get%20a%20SSL%20certificate%20%2F%20CSR%20with%20a%26nbsp%3B%3CSPAN%3E%20signature%20algorithm%20other%20than%20sha1.%20%3C%2FSPAN%3ESince%20browser%20will%20soon%20stop%20trusting%20them%20the%20SSL%20cert%20should%20have%20sha256%2B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECreating%20a%20CSR%20with%20legacy%20keys%20in%20IIS%20or%20Certificate%20MMC%20creates%20the%20CSR%20with%20sha1....%20only%20with%20CNG%20keys%20you%20can%20choose%20sha256%2B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76834%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Windows%20Server%202016%20-%20CNG%20key%20support%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76834%22%20slang%3D%22en-US%22%3EGreat%20work%2C%20Alexander!%20Thank%20for%20coming%20back%20and%20ensuring%20other%20users%20will%20see%20your%20solution.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76822%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Windows%20Server%202016%20-%20CNG%20key%20support%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76822%22%20slang%3D%22en-US%22%3E%3CP%3EResearch%20and%20testing%20done%3A%20YES%20ADFS2016%20added%20support%20for%20SSL%20certificates%20with%20CNG%20keys.%3C%2FP%3E%3CP%3EBut%20you%20could%20also%20create%20a%20cert%20with%20legacy%20keys%20and%20good%20signature%20algorithm%20by%20using%20certutil.exe%20(good%20if%20for%20%26lt%3B%20ADFS2016%20when%20CNG%20keys%20are%20not%20supported%20but%20signature%20algorithm%20should%20be%20good)%3C%2FP%3E%3CP%3EYou%20can%20also%20convert%20CNG%20to%20legacy%20with%20certutil.exe%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Did ADFS 2016 add support for SSL certificates with CNG keys?

For Windows Server 2012R2 the answer was clear: No

For ADFS 2016 nothing is mentioned on the documentation (WS2012R2 docuemtation was way better)

 

If not, whats the best approach to get a SSL certificate / CSR with a  signature algorithm other than sha1. Since browser will soon stop trusting them the SSL cert should have sha256+

 

Creating a CSR with legacy keys in IIS or Certificate MMC creates the CSR with sha1.... only with CNG keys you can choose sha256+

2 Replies
Highlighted
Best Response confirmed by Daniel Martins (Microsoft)
Solution

Research and testing done: YES ADFS2016 added support for SSL certificates with CNG keys.

But you could also create a cert with legacy keys and good signature algorithm by using certutil.exe (good if for < ADFS2016 when CNG keys are not supported but signature algorithm should be good)

You can also convert CNG to legacy with certutil.exe

Highlighted
Great work, Alexander! Thank for coming back and ensuring other users will see your solution.