Add PE certificates to the ADFS server

To ensure ADFS trusts the certificates PE uses to sign requests, add the Puppet CA certificates to the Trusted Root CA store on the ADFS server. There can be one or two certificates to import, depending on which version of PE you upgraded from.

On your primary server, retrieve the certificates:
```
cat /etc/puppetlabs/puppet/ssl/certs/ca.pem
```
Depending on how many certificates appear, do one of the following:
- One certificate – copy the certificate text and paste it into a .cer file on your ADFS server. Then, import the certificate into the Trusted Root Certification Authorities store.
- Two certificates – export the certificates with this command:
```
openssl pkcs12 -export -nokeys -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -out ~/ca.pfx -passout pass
```
  Copy the resulting ca.pfx file to your ADFS server, then import it into the Trusted Root Certification Authorities store. The file has no password. The two certificates appear after importing the file.