Add—Click to add a certificate file to the list of certificates that are used to verify security tokens that are issued by the account partner. Select a DER-encoded, binary, X.509 certificate file (.cer); a PKCS #7 certificate file (.p7b), or a certificate store file (.sst) whose contents are of one of the following types:
- A self-signed certificate (A self-signed
certificate is a root certification authority (CA)
certificate.)
- All the certificates in the certification
path up to the root (In this case, the end certificate is detected
automatically.)
Remove—Click to delete the highlighted certificate from the list of verification certificates.
Note | |
The last certificate cannot be deleted because at least one certificate must be present for this Federation Service to validate tokens that are issued by the Federation Service itself. |
View—Click to view the details of the highlighted certificate in the list of verification certificates.
Revocation settings
Check the end certificate—This option checks to see if the end certificate in the certificate chain has been revoked. Selecting this option can increase performance because only the certificate revocation list (CRL) that is associated with the CA that issued the end certificate is checked for revocation status, not any CRLs that are higher in the certificate chain than that end certificate's CA.
Caution | |
Select this option only if you trust the CA that issued the end certificate. |
Check the end Certificate in the Cache only—This option performs the same actions as Check the end certificate, but instead of checking revocation status from the CA that issued the end certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store.
Note | |
If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail. |
Check the entire Certificate Chain—This option checks revocation status on every certificate in the chain, including the root certificate. Although most revocation checks exclude checking the root certificate, this option will run a check to verify that the root certificate has not been revoked.
Check the entire Certificate Chain in the Cache only—This option performs the same actions as Check the entire Certificate Chain, but instead of checking revocation status from the CA that issued the root certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store.
Note | |
If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail. |
Check the entire Chain excluding the Root—This option checks revocation status on every certificate in the chain except for the root certificate. This option is the default setting for revocation checking in AD FS.
Check the entire Chain excluding the Root in the Cache only—This option performs the same actions as Check the entire Chain excluding the Root, but instead of checking revocation status from the CAs that issued the certificates directly, revocation checking is performed on a CRL that has been imported into the Local Machine store.
Note | |
If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail. |