A token-signing certificate, issued by a certificate authority, provides a quick way to verify if your private key is compromised. Different certificate authorities have different processes for generating a certificate with a private key.

Typically, a certificate request is issued from IIS and then uploaded to the certificate authority through their website. The certificate authority’s response is then imported back into IIS from the same computer that issued the request. This completes the transaction. Some certificate authorities have their own software package that you install on your system and use to request and generate a certificate.

For security, it is generally the computer that intends to use the certificate that makes certificate requests, so the private key does not need to be exported or transmitted.

To use a certificate generated on a different computer than the one hosting the Security Token Service, you must perform the following tasks:

1. Export the certificate with its private key.
2. Choose a temporary password to encrypt the private key contents.
3. Import the key to the computer that is hosting the Security Token Service in the Local Machine Personal certificate store using the Microsoft Management Console (MMC.exe).

   Your next step depends on where you created the certificate:

   • If you created the certificate from the server, continue with Installing the Security Token Service.
   • If you are not creating the certificate from the server, perform the steps in Using a Windows environment to export the key.

• Using a Windows environment to export the key

  Perform the following steps if you are using a Windows environment to export the key:

• Using the Security Token Service