In an EmpowerID deployment, certificates provide the underlying support for the authentication, integrity, and confidentiality of messages exchanged between the various platform components, as well as any federated partners communicating with EmpowerID. These certificates play an important role in the EmpowerID federated security model in that EmpowerID uses them to sign and encrypt SAML Assertions and the WS-Federation security tokens issued by the EmpowerID Security Token Service (STS), which are then validated/decrypted by the various services and applications deployed against EmpowerID. There are two important types of certificates used in an EmpowerID deployment, the Server Certificate and the SSL Certificate.
You can use one and the same certificate to meet these requirements. It is not necessary to deploy two different certificates.
Server Certificate
When you install EmpowerID, you must select a "Server" certificate as part of the installation process. This certificate is used by the EmpowerID STS to encrypt the security tokens issued by it each time a user authenticates against the system and used by the EmpowerID services to verify the validity of those tokens and the access requests represented by them. As this is the case, you must have the private key for this certificate as it is used by the EmpowerID services to decrypt the tokens passed to them by the STS.
The Server certificate must be issued by a Certificate Authority in the Trusted Root Certification Authorities of the local machine and meet the additional requirements:
- It must be valid
- It must be deployed in the Certificates (Local Computer)\Personal store
- Minimum intended purpose includes Client/Server Authentication and Encryption
In addition, the certificate details information must be as follows:
- Key Usage — Digital Signature, Key Encipherment
- Enhanced Key Usage — Server Authentication, Client Authentication
- Signature algorithm — sha256RSA
- Signature hash algorithm — sha256
- Thumbprint algorithm — sha1
- Provider — Microsoft Enhanced RSA and AES Cryptographic Provider
To ensure your certificates meet the requirements for EmpowerID, please see the the following support articles per your situation:
Requesting a SHA-256 certificate for EmpowerID using Active Directory Certificate Services
https://support.empowerid.com/hc/en-us/articles/206834217-Requesting-a-SHA-256-certificate-for-EmpowerID-using-Active-Directory-Certificate-Services
Requesting a SHA-256 certificate for EmpowerID using an external certificate authority
https://support.empowerid.com/hc/en-us/articles/206113388-Requesting-a-SHA-256-certificate-for-EmpowerID-using-an-external-certificate-authority
To find the Provider for your current certificate, run certutil -store my
from the command prompt once the certificate is imported into the Computer account Personal store.
Once you are using EmpowerID, you will have the ability to add more certificates to the application. These certificates can then be used in the Single Sign-On process to sign, verify or encrypt information. If you want to use a certificate for signing, the certificate must have a valid certificate chain and be installed in Personal Certificate store of the Local Machine with a private key. Additionally, the identity that is used for the Application Pools and the Services must have access to the private key to use it for signing.
SSL Certificate for the EmpowerID Website
As well as the Server certificate mentioned above, EmpowerID requires an SSL certificate be deployed in IIS to secure the communications that occur internally between the various EmpowerID applications and the Website, those occurring between EmpowerID and client applications, as well as for encrypting any security tokens issued by the EmpowerID STS that are transmitted over the wire and establishing client identities during federated communication and the exchange of security tokens during those communications. As with the Server certificate, EmpowerID requires the private key to decrypt the security token and the IIS certificate must be issued by a widely trusted Certificate Authority in the Trusted Root Certification Authorities of the local machine. Additionally, the following conditions are required:
- It must be valid
- It must be deployed in the Certificates (Local Computer)\Personal store
- Minimum intended purpose includes Client/Server Authentication and Encryption
In addition, the certificate details information must be as follows:
- Key Usage — Digital Signature, Key Encipherment
- Enhanced Key Usage — Server Authentication, Client Authentication
- Signature algorithm — sha256RSA
- Signature hash algorithm — sha256
- Thumbprint algorithm — sha1
- Provider — Microsoft Enhanced RSA and AES Cryptographic Provider
Certificate Requirements
Each EmpowerID Service has the following certificate requirements:
- Private Key Certificate (for all services) — The private key is owned by the service to decrypt the security token.
- Public Key Certificate (for all services) — This allows each service to communicate with the other services.
- Public Key Certificate (for all issuers) — This allows any issuer to be used in a federation.
Each EmpowerID Web Role Server has the following certificate requirements:
- Private Key Certificate — The issuer needs to have access to the private key to generate the XML digital signature to ensure integrity and source verification.
- Public Key certificate (for all services) — The relying party public key certificate is used to establish trust and encrypt the security token.
For machines running the EmpowerID services you need the following certificates:
- Root Certificate for CA
- Server Certificate Public Key
For machines running the EmpowerID Web Role Server, you need the following certificates:
- Root Certificate for CA
- Server Certificate Private and Public Key
Certificate Compliance
Due to the different types of certificates that could be used, EmpowerID performs its own validation to ensure a deployed certificate meets the minimum requirements. This validation takes into account self-signed and certificate-authority issued certificates within the issuing chain. Although EmpowerID does not support the Peer or Chain trust, you may elect to use these types of certificate validations in your client applications. Where a certificate used by the client application is deployed is irrelevant to the EmpowerID Web Role Server or the service being consumed by the client application. If you choose to use the Peer trust validation, your certificates must be deployed in the Trusted People store for your client application to work.
EmpowerID provides a utility application, the EmpowerID Certificate Manager, that you can use to check whether your certificates meet the above requirements. Additionally, you can generate Server and SSL certificates for testing. Please note that these self-generated certificates should not be used in production environments. For information on using the EmpowerID Certificate Manager, see Managing Certificates.