Each federation server proxy uses a client authentication certificate to authenticate to the Federation Service. You can use any certificate with client authentication extended key usage (EKU) that chains to a trusted root certification authority (CA) on the federation server as a client authentication certificate for the federation server proxy. In addition, you must explicitly add the client authentication certificate to the trust policy. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate. You can install a client authentication certificate by connecting to an enterprise CA or by creating a self-signed certificate.
Do not use a certificate that was issued by your enterprise CA for client authentication of an Active Directory user (especially a domain administrator) because the private key is stored on the federation server proxy. Storing a private key on the federation server proxy allows an administrator or a successful attacker to assume the identity that the certificate represents.
For general information about installing client authentication certificates when you use Microsoft Certificate Services as your enterprise CA, see Submit an advanced certificate request via the Web to a Windows Server 2003 CA (