How to renew ADFS certificates

Hi! Recently, I have to renew certificates on Active Directory Federation Services (ADFS) servers, so I will post the steps to do it:

In ADFS Server:

  1. Log onto the ADFS Server
  2. Add the new certificate to the server. Make sure this is added to the personal certificate store for the computer account. I usually do this using the certificates snap-in in MMC or by importing the certificate in IIS
  3. Grant the service account that is running the ‘Active Directory Federation Services’ service read access to the private key. To do this, follow these steps:
    1. Within the certificates snap-in of MMC, right click the certificate, select ‘All Tasks’ and then select ‘Manage Private Keys…’:


    2. Click ‘Add…’ to add the user account running the ADFS service on the server and grant read access to that user.


    3. Click OK on the permissions dialog to close it.
  4. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’:


  5. Click ‘Set Service Communications Certificate…’ from the actions panel at the right of the screen:


  6. You will be prompted for the required certificate, If not try to reimport the certificate
  7. If at this point you need to restart the ADFS service.
  8. To complete the configuration change, change the certificate in the IIS web application in the ADFS server (see bind the new SSL certificate section)
  9. Restart the server, or the ADFS service on the server to complete the configuration change.

Additional configuration is required on the WAP server

  1. Log onto the WAP server.
  2. Add the new certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Change the certificate in the IIS web Application (see bind the new SSL certificate section)
  4. Restart the server, or the ADFS and Web Application Proxy services to complete the configuration.

Bind the new certificate SSL with the App Web

In IIS7 on Windows Server 2008 and Windows Server 2008 R2, you will select the web site, right-click, Edit Bindings, and select the SSL port, Edit, and use the drop-down to select the new SSL certificate:


Replacing the Token-Signing certificate

Check to see if you are utilizing AutoCertificateRollover

  • Launch PowerShell on a Federation Server
  • Run the following commands:

Add-Pssnapin Microsoft.Adfs.Powershell Get-ADFSProperties

  • Look for the value of AutoCertificateRollover in the output. It will show True or False
  • If the result of previous step is True, then you are finished, If the result of step c. is False, then you will need to maintain the Token-Signing certificate manually. In my case was True, so I finish there

Replacing the Token-Decrypting certificate

If you are utilizing the AutoCertificateRollover feature of AD FS, you do not need to manually replace the Token-Decrypting certificate. AutoCertificateRollover will create a self-signed Token-Decrypting certificate for you and set it as the Primary Token-Decrypting certificate when a time threshold has been met.

How do I renew the token-signing certificate in SharePoint?

There are two steps required to renew the certificate (at least as far as SharePoint is concerned – this assumes that the new ADFS token signing cert has already been generated):

  1. Import certificate into SharePoint’s trusted certificate store (SharePoint Central Admin or PowerShell)
  2. Import certificate into SharePoint’s trusted identity provider (PowerShell)

This script needs to be run on a SharePoint server:

# Find the ADFS token signing
$cert= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:ADFSTokenSigning.cer")
# import cert to trusted root authority store in SharePoint
New-SPTrustedRootAuthority -Name "ADFS Token Signing" -Certificate $cert
# import cert to SP-TrustedIdentityTokenIssuer
get-SPTrustedIdentityTokenIssuer | Set-SPTrustedIdentityTokenIssuer -importtrustcertificate $cert

I don’t want to do it every year. How do I stop the certificate from expiring?

Assuming that you are using ADFS to generate the new token signing certificate, you can use the Set-ADFSProperties cmdlet to modify the CertificateDuration property, then create a new token signing certificate. In the example below, new certificates won’t expire for 36500 days (100 years):

Set-ADFSProperties -CertificateDuration 36500

We can now create a new Token Signing certificate that will be valid for the new duration:

Update-ADFSCertificate -CertificateType Token-Signing -Urgent

Last step is to check the SharePoint web Application to assure that everthing is working properly. I think that’s all the steps I followed to change the ADFS certificates, hope it helps!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s