Certificate Requirements
EmpowerID uses certificates to provide authentication, integrity, and confidentiality for messages exchanged between platform components and federated partners. EmpowerID deployments require three distinct types of certificates: SSL/TLS certificates for web communications, System Access certificates for service authentication, and Federation certificates for federated identity exchanges. Each certificate type serves a specific purpose and has its own technical requirements.
Certificate Types and Purposes
SSL/TLS Certificate
Purpose: Secures the EmpowerID website and makes it HTTPS capable.
The SSL/TLS certificate is deployed in IIS to encrypt web traffic and establish secure HTTPS connections for the EmpowerID website.
System Access Certificate
Purpose: Provides certificate-based authentication for intra-process communication between EmpowerID services.
The System Access certificate is selected during EmpowerID installation. EmpowerID services use this certificate to encrypt and validate security tokens during service-to-service authentication. The private key for this certificate must be available to EmpowerID services to decrypt tokens passed by the Security Token Service (STS).
Federation Certificate
Purpose: Signs SAML assertions and auth request signing for federated authentication with external partners.
The Federation certificate supports EmpowerID's federated security model by signing and encrypting SAML assertions and WS-Federation security tokens issued by the EmpowerID Security Token Service (STS) during federated communications.
Technical Requirements
Each certificate type has specific technical requirements that must be met for proper EmpowerID operation.
SSL/TLS Certificate Requirements
| Requirement | Specification |
|---|---|
| Validity | Certificate must be valid |
| Deployment Location | Certificates (Local Computer)\Personal store |
| Minimum Intended Purpose | Server Authentication |
| Key Usage | Digital Signature, Key Encipherment |
| Enhanced Key Usage | Server Authentication |
| Signature Algorithm | sha256RSA |
| Signature Hash Algorithm | sha256 |
| Thumbprint Algorithm | sha1 |
| Provider | Microsoft Enhanced RSA and AES Cryptographic Provider |
| Certificate Authority | Must be issued by a Certificate Authority in the Trusted Root Certification Authorities of the local machine |
System Access Certificate Requirements
| Requirement | Specification |
|---|---|
| Validity | Certificate must be valid |
| Deployment Location | Certificates (Local Computer)\Personal store |
| Minimum Intended Purpose | Client/Server Authentication and Encryption |
| Key Usage | Digital Signature, Key Encipherment |
| Enhanced Key Usage | Server Authentication, Client Authentication |
| Signature Algorithm | sha256RSA |
| Signature Hash Algorithm | sha256 |
| Thumbprint Algorithm | sha1 |
| Provider | Microsoft Enhanced RSA and AES Cryptographic Provider |
| Certificate Authority | Self-signed or issued by a private Certificate Authority supporting Client Authentication EKU |
Federation Certificate Requirements
| Requirement | Specification |
|---|---|
| Validity | Certificate must be valid |
| Deployment Location | Certificates (Local Computer)\Personal store |
| Minimum Intended Purpose | Client/Server Authentication and Encryption |
| Key Usage | Digital Signature, Key Encipherment |
| Enhanced Key Usage | Server Authentication, Client Authentication |
| Signature Algorithm | sha256RSA |
| Signature Hash Algorithm | sha256 |
| Thumbprint Algorithm | sha1 |
| Provider | Microsoft Enhanced RSA and AES Cryptographic Provider |
| Certificate Authority | Self-signed or issued by a private Certificate Authority supporting Client Authentication EKU |
You can use the same certificate for multiple purposes if it meets all required specifications. For example, a single certificate that includes both Server Authentication and Client Authentication EKUs can serve as both the SSL/TLS certificate and the System Access certificate.
Certificate Management
Adding Additional Certificates
After initial installation, you can add more certificates to EmpowerID for use in Single Sign-On processes. Certificates used for signing must:
- Have a valid certificate chain
- Be installed in the Personal Certificate store of the Local Machine with a private key
- Grant the Application Pool and Service identities access to the private key
Certificate Distribution by Server Role
Different EmpowerID server roles require different certificate configurations.
EmpowerID Service Certificate Requirements
| Certificate Type | Purpose |
|---|---|
| Private Key Certificate (all services) | The private key is owned by the service to decrypt security tokens |
| Public Key Certificate (all services) | Allows each service to communicate with other services |
| Public Key Certificate (all issuers) | Allows any issuer to be used in a federation |
EmpowerID Web Role Server Certificate Requirements
| Certificate Type | Purpose |
|---|---|
| Private Key Certificate | The issuer needs access to the private key to generate XML digital signatures for integrity and source verification |
| Public Key Certificate (all services) | The relying party public key certificate establishes trust and encrypts security tokens |
Certificate Deployment by Machine Type
Machines running EmpowerID services require:
- Root Certificate for CA
- System Access Certificate Public Key
- Federation Certificate Public Key
Machines running EmpowerID Web Role Server require:
- Root Certificate for CA
- SSL/TLS Certificate Private and Public Key
- System Access Certificate Private and Public Key
- Federation Certificate Private and Public Key
Certificate Compliance
EmpowerID performs its own validation to ensure deployed certificates meet minimum requirements. This validation accounts for both self-signed certificates and certificate-authority issued certificates within the issuing chain.
Although EmpowerID does not support Peer or Chain trust, you may use these certificate validation types in your client applications. If you use Peer trust validation, your certificates must be deployed in the Trusted People store for your client application to work.
To find the Provider for your current certificate, run certutil -store my from the command prompt once the certificate is imported into the Computer account Personal store.
Additional Resources
To ensure your certificates meet the requirements for EmpowerID, see the following support articles:
Requesting a SHA-256 certificate for EmpowerID using Active Directory Certificate Services
https://support.empowerid.com/hc/en-us/articles/206834217-Requesting-a-SHA-256-certificate-for-EmpowerID-using-Active-Directory-Certificate-Services
Requesting a SHA-256 certificate for EmpowerID using an external certificate authority
https://support.empowerid.com/hc/en-us/articles/206113388-Requesting-a-SHA-256-certificate-for-EmpowerID-using-an-external-certificate-authority