SSL Certificate Requirements
Applies To: Azure
Use the same SSL certificate for all AD FS nodes. It is strongly recommended to use the same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxy servers. This certificate must be an X509 certificate. For more information, see AD FS Requirements.
Use a public certificate. You can use a self-signed certificate on federation servers in a test lab environment; however, for a production environment, we recommend that you obtain the certificate from a public certificate authority (CA).
Use a certificate based on a CSP. Certificates based on CryptoAPI next generation (CNG) keys and key storage providers are not supported. This means you must use a certificate based on a cryptographic service provider (CSP) and not a key storage provider (KSP).
Match the federation service name. The identity of the certificate must match the federation service name (for example, fs.contoso.com). The identity is either a subject alternative name (SAN) extension of type dNSName or, if there are no SAN entries, the subject name specified as a common name. Multiple SAN entries can be present in the certificate, provided one of them matches the federation service name.
Add enterpriseregistration SAN for Workplace Join. If you are planning to use Workplace Join, an additional SAN is required with the value “enterpriseregistration.” followed by the User Principal Name (UPN) suffix of your organization (for example, enterpriseregistration.contoso.com).
Wildcard certificates are supported.