We are integrating with ADFS (SAML) with a customer. The customer requires us to obtain token signing certificate, trusted by well known CA. The certificate will be used to sign SAML requests that are sent to IdP. Most of the vendors sell SSL cert and/or code signing cert. Can we purchase code signing cert for this purpose? If not, where do we go to purchase token signing certificate?
Asked
Active
Viewed 739 times
1 Answers
2
The token-signing certificate in ADFS does not care if you are using a SSL cert or code signing cert. The only requirement is the Key Usage should contain at least Digital Signature.
Additionally, if you use a non self-signed token signing cert, you will have to renew the cert manually for the relying parties so that they will trust the this cert when the signing cert expires.
Jimmy Sun
- 319
- 1
- 4
-
Thanks for your response. That's what I have been telling the customer. But this blog post (https://blogs.technet.microsoft.com/adfs/2007/07/23/adfs-certificates-ssl-token-signing-and-client-authentication-certs/) from Microsoft *suggested* not use SSL cert for token signing. The customer has been fixated to not allowing us to use SSL cert. – weilin8 Feb 24 '17 at 18:00
-
If your customer doesn't allow you to use a SSL cert, then yes you can also purchase a code signing cert for this purpose. – Jimmy Sun Feb 25 '17 at 09:34