In an EmpowerID deployment, certificates provide the underlying support for the authentication, integrity, and confidentiality of messages exchanged between the various platform components, as well as any federated partners communicating with EmpowerID. These certificates play an important role in the EmpowerID federated security model in that EmpowerID uses them to sign and encrypt SAML Assertions and the WS-Federation security tokens issued by the EmpowerID Security Token Service (STS), which are then validated/decrypted by the various services and applications deployed against EmpowerID. There are two important types of certificates used in an EmpowerID deployment, the Server Certificate and the SSL Certificate.
When you install EmpowerID, you must select a "Server" certificate as part of the installation process. This certificate is used by the EmpowerID STS to encrypt the security tokens issued by it each time a user authenticates against the system and used by the EmpowerID services to verify the validity of those tokens and the access requests represented by them. As this is the case, you must have the private key for this certificate as it is used by the EmpowerID services to decrypt the tokens passed to them by the STS.
The Server certificate must be issued by a Certificate Authority in the Trusted Root Certification Authorities of the local machine and meet the additional requirements:
certutil -store myfrom the command prompt once the certificate is imported into the Computer account Personal store.
To ensure your certificates meet the requirements for EmpowerID, please see the the following support articles per your situation:
Requesting a SHA-256 certificate for EmpowerID using Active Directory Certificate Services
Requesting a SHA-256 certificate for EmpowerID using an external certificate authority
Once you are using EmpowerID, you will have the ability to add more certificates to the application. These certificates can then be used in the Single Sign-On process to sign, verify or encrypt information. If you want to use a certificate for signing, the certificate must have a valid certificate chain and be installed in Personal Certificate store of the Local Machine with a private key. Additionally, the identity that is used for the Application Pools and the Services must have access to the private key to use it for signing.
As well as the Server certificate mentioned above, EmpowerID requires an SSL certificate be deployed in IIS to secure the communications that occur internally between the various EmpowerID applications and the Website, those occurring between EmpowerID and client applications, as well as for encrypting any security tokens issued by the EmpowerID STS that are transmitted over the wire and establishing client identities during federated communication and the exchange of security tokens during those communications. As with the Server certificate, EmpowerID requires the private key to decrypt the security token and the IIS certificate must be issued by a widely trusted Certificate Authority in the Trusted Root Certification Authorities of the local machine. Additionally, the following conditions are required:
In addition, the certificate details information must be as follows:
Each EmpowerID Service has the following certificate requirements:
Each EmpowerID Web Role Server has the following certificate requirements:
For machines running the EmpowerID services you need the following certificates:
For machines running the EmpowerID Web Role Server, you need the following certificates:
Due to the different types of certificates that could be used, EmpowerID performs its own validation to ensure a deployed certificate meets the minimum requirements. This validation takes into account self-signed and certificate-authority issued certificates within the issuing chain. Although EmpowerID does not support the Peer or Chain trust, you may elect to use these types of certificate validations in your client applications. Where a certificate used by the client application is deployed is irrelevant to the EmpowerID Web Role Server or the service being consumed by the client application. If you choose to use the Peer trust validation, your certificates must be deployed in the Trusted People store for your client application to work.