Applies to: Exchange Server 2013
Topic Last Modified: 2012-10-09
To establish a federation trust between your Microsoft Exchange Server 2013 organization and the Microsoft Federation Gateway, you need a digital certificate installed on the Exchange server used to create the trust. We strongly recommend using a self-signed certificate. A self-signed certificate is created and installed automatically when using the Enable federation trust wizard in the Exchange Administration Center (EAC).
If you don't want to use the recommended self-signed certificate, you should request and install an X.509 Secure Sockets Layer (SSL) certificate from a certification authority (CA) trusted by Windows Live. Although certificates issued by other CAs may also be used to establish a federation trust with the Microsoft Federation Gateway, they aren't certified by Microsoft to date.
The following table lists CAs currently trusted by Windows Live. These CAs have been tested for use with Exchange 2013.
| CA friendly name | Issued by | Intended purposes |
|---|---|---|
|
Comodo |
Comodo Certification Authority |
Server authentication, client authentication |
|
Digicert |
Digicert Global Root Certification Authority |
Server authentication, client authentication |
|
Digicert High Assurance EV |
Digicert Global Root Certification Authority |
Server authentication, client authentication |
|
Entrust |
Entrust.net Secure Server Certification Authority |
Server authentication, client authentication |
|
Entrust (2048) |
Entrust.net Secure Server Certification Authority |
Server authentication, client authentication |
|
Equifax |
Equifax Secure Certification Authority |
Server authentication, client authentication |
|
GlobalSign |
GlobalSign Certification Authority |
Server authentication, client authentication |
|
Go Daddy |
Go Daddy Class 2 Certification Authority |
Server authentication, client authentication |
|
Network Solutions |
Network Solutions Certification Authority |
Server authentication, client authentication |
|
PositiveSSL |
Comodo Certification Authority |
Server authentication, client authentication |
|
UTN-UserFirst-Hardware |
Comodo Certification Authority |
Server authentication, client authentication |
|
VeriSign |
Class 3 Public Primary Certification Authority |
Server authentication, client authentication |
|
VeriSign |
VeriSign Trust Network |
Server authentication, client authentication |
Are you successfully using a certificate for Federation with Exchange 2013 that isn't on this list? If so, you can assist in the CA verification process. Simply include the CA name and thumbprint information in the Community Content section below this topic.
For more information about certificate requirements for Federation, see Federation.