Hieronder volgen de SSL certificaten die nodig zijn bij:

  • Exchange on-premises en hybride,
  • SSO met AD FS (2.0),
  • Exchange Online services, 
  • Exchange Web Services.

Exchange on-premises en hybride

Voor meer informatie:

Single Sign-On

Om gebruikers een single sign-on te geven zijn de volgende 2 certificaten nodig op zowel de bedrijfs-servers als op de proxy-servers:

Certificate Type


What you need to know before you deploy

SSL certificate (also called a server authentication certificate)

This is a standard SSL certificate that is used to make communications between federation servers, clients, and federation server proxy computers secure.

Active Directory Federation Services (AD FS) 2.0 requires an SSL certificate. By default, AD FS 2.0 uses the SSL certificate that is configured for the default website in Internet Information Services (IIS).

The subject name of this SSL certificate is used to determine the Federation Service (FS) name for each instance of AD FS 2.0 that you deploy. Consider choosing a subject name for any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Office 365. This name must be Internet-routable.

AD FS 2.0 requires that this SSL certificate have no dotless (short-name) subject name.

Recommendation: Because this certificate must be trusted by clients of AD FS 2.0, we recommend that you use an SSL certificate issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte.


Token-signing certificate

This is a standard X.509 certificate that’s used for securely signing all tokens that the federation server issues and that Office 365 accepts and validates.


The token-signing certificate must contain a private key that chains to a trusted root in the FS. By default, AD FS 2.0 creates a self-signed certificate. However, depending on the needs of your organization, you can change this certificate to a CA-issued certificate by using the AD FS 2.0 management snap-in.

CautionLet op:
The token-signing certificate is critical to the stability of the FS. If the certificate is changed, Office 365 must be notified of the change. If notification is not provided, users can’t sign in to their Office 365 service offerings.

Recommendation: We recommend that you use the self-signed token-signing certificate that is generated by AD FS 2.0. By doing so, it manages this certificate for you by default. For example, when this certificate is about to expire, AD FS 2.0 will generate a new self-signed certificate.



Proxy-servers hebben ook het volgende certificaat nodig:

Certificate Type


What you need to know before you deploy

SSL certificate

This is a standard SSL certificate that is used for securing communications between a federation server, a federation server proxy, and Internet client computers.

This SSL certificate must be bound to the default website in IIS before you can successfully run the AD FS 2.0 Federation Server Proxy Configuration wizard.

This certificate must have the same subject name as the SSL certificate that was configured on the federation server in the corporate network.

Recommendation: We recommend that you use the same server authentication certificate that is configured on the federation server that this federation server proxy connects to.