ADFS and AD configuration is very easy these days with Azure Virtual Machine. I configured AD on Azure VM with Windows Server 2012 R2 and now was the turn to configure ADFS 3.0.
For this I was requiring a certificate. As this was development scenario I decided to choose self-signed certificate. Therefore I opened IIS and from Server Certificate option I created a self signed certificate and provided in configuration of ADFS.
The other way of generating self signed certificate is to use below command using Visual Studio Developer Tools in admin mode and following command to create certificate.-
makecert -sky exchange -r -n "CN=CertificateName" -pe -a sha1 -len 2048 -ss My "CertificateName.cer"
When I selected this certificate on ADFS Federation Configuration Wizard then I received an error as - The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
This problem is encountered because IIS or makecert command creates newer kind of certificate which is not compatible with ADFS. Therefore we need to provide Microsoft Strong Cryptographic Provider so as to generate compatible certificate. The way to generate compatible certificate is powershell command. First download the PowerShell command used for generation of certificate from the link - https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6#content
Then I copied this .ps1 file to c:\kunal folder. Now open powershell window as admin mode and fire below commands in Powershell to generate the certificate .pfx file which would be compatible.
PS C:\kunal> . \New-SelfSignedCertificateEx
PS C:\kunal> New-SelfSignedCertificateEx -Subject "CN=mycert.cloudapp.net" -EKU "Server Authentication" -KeyUsage 0xa0 -StoreLocation "LocalMachine" -ProviderName "Microsoft Strong Cryptographic Provider" -Exportable
The generated certificate can be exported from Certificate store of local machine as described in the below link - http://sanganakauthority.blogspot.in/2012/02/install-certificate-in-local-computer.html
Use this certificate in ADFS configuration and you should be good go ahead.
In case above way of adding the script in Powershell .\New-SelfSignedCertificateEx do not work, you can simply import using Import-Module. Run below command -
PS C:\kunal> Import-Module .\New-SelfSignedCertificateEx
After this run above main command to create the certificate.
Hope this helps.