A private key and certificate are needed when creating an XML signature over a SAML assertion or protocol messages. They may either be loaded from a key store or a PFX file.
One of many ways to generate a private key and certificate is to make a request to the Windows certificate server and have it issue a key and certificate. You can then install it in a certificate store and, if required, export the certificate to a CER file or the key and certificate to a PFX file. The steps are outlined below.
- If not already done, install the Certificate Services Windows component. This installs a certification authority (CA) to issue certificates.
- Navigate to the certificate service (e.g. http://localhost/certsrv) and request a certificate. Select the "advanced certificate request" and then "Create and submit a request to this CA". Fill in the certificate request details, specifying the certificate type as server authentication certificate and make sure "Mark keys as exportable" is checked.
- Using the Certification Authority MMC snap-in, view the pending requests and issue a certificate.
- Back at the certificate service click, view the status of the pending certificate request, and click the link to install the certificate.
- Using the Certificates MMC snap-in, view the certificate to confirm that it has been installed. If required you can export the certificate and private key to a PFX file but make sure to check "Include all certificates in the certification path if possible." You can also export the certificate only if required.
For more detailed information on using the Microsoft Certificate Server refer to the MSDN.