Hi,
I have a AD FS setup.
I'm having difficulty using a certificate obtained from a Enterprise Root CA as a signing and / or Decryption certificate. I've chosen not to use the automatic roll-over of the signing certificate because of the risk that my relying parties are no longer able to use the AD FS server when this occurs. In my experience systems administrators forget to manage the updating of relying parties pro-actively. I choose the Enterprise Root CA because that way I can have SharePoint trust the CA Root certificate so I do not have to trust a new certificate every time the signing certificate updates.
The point is now: I only can use a certificate from a Enterprise Root CA if I request it from IIS (so a web server certificate). Which does not have the life-time and keylength I want. When I create a new Certificate template based on the web server certificate template and request a certificate from the certificates mmc snap-in, no matter what I do I get an ADFS event 133 (cannot access private key). I do have private key permissions set properly and the certificate is in the proper store (like I do with the key generated from IIS which works fine) so I guess there is something else about the certificate that AD FS does not like. I've even tried to put the certificate in multiple stores (so the store for the ad fs service account) but that doesn't help.
This is driving me nuts. Who you how to solve this?
(Btw: I have a 2012 AD FS server and a 2008 R2 domain controller).
Also: if a different certificate strategy makes more sense I would like to know as well.
