...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
| Style | ||
|---|---|---|
| ||
In an EmpowerID deployment, certificates provide the underlying support for the authentication, integrity, and confidentiality of messages exchanged between the various platform components, as well as any federated partners communicating with EmpowerID. These certificates play an important role in the EmpowerID federated security model in that EmpowerID uses them to sign and encrypt SAML Assertions and the WS-Federation security tokens issued by the EmpowerID Security Token Service (STS), which are then validated/decrypted by the various services and applications deployed against EmpowerID. There are two important types of certificates used in an EmpowerID deployment, the the Server Certificate Certificate and the the SSL Certificate.
| Info |
|---|
You can use one and the same certificate to meet these requirements. It is not necessary to deploy two different certificates. |
Server Certificate
When you install EmpowerID, you must select a "Server" certificate as part of the installation process. This certificate is used by the EmpowerID STS to encrypt the security tokens issued by it each time a user authenticates against the system and used by the EmpowerID services to verify the validity of those tokens and the access requests represented by them. As this is the case, you must have the private key for this certificate as it is used by the EmpowerID services to decrypt the tokens passed to them by the STS.
...
| Warning | ||
|---|---|---|
In addition, the certificate details information must be as follows:
To ensure your certificates meet the requirements for EmpowerID, please see the the following support articles per your situation: Requesting a SHA-256 certificate for EmpowerID using Active Directory Certificate Services Requesting a SHA-256 certificate for EmpowerID using an external certificate authority |
...
In addition, the certificate details information must be as follows:
- Key Usage - Digital — Digital Signature, Key Encipherment
- Enhanced Key Usage - Server — Server Authentication, Client Authentication
- Signature algorithm - sha256RSA— sha256RSA
- Signature hash algorithm - sha256— sha256
- Thumbprint algorithm - sha1— sha1
- Provider - Microsoft — Microsoft Enhanced RSA and AES Cryptographic Provider
...
- Private Key Certificate (for all services) - The — The private key is owned by the service to decrypt the security token.
- Public Key Certificate (for all services) - This — This allows each service to communicate with the other services.
- Public Key Certificate (for all issuers) - This — This allows any issuer to be used in a federation.
Each EmpowerID Web Role Server has the following certificate requirements:
- Private Key Certificate - The — The issuer needs to have access to the private key to generate the XML digital signature to ensure integrity and source verification.
- Public Key certificate (for all services) - The — The relying party public key certificate is used to establish trust and encrypt the security token.
...