Changing the Service-Communications certificate for the Windows Server 2012 R2 ADFS servers and Windows Server 2012 R2 Web Application Proxy servers is sometimes tricky if you are not familiar with the technology.
Basically you need to perform 3 operations:
- Change the Service-Communications certificate in ADFS.
- Set the new SSL certificate to be used by the HTTP.sys driver.
- Give to the ADFS service read access to the private key of the new certificate.
To ensure this is going smoothly, I wrote the following script:
- Update the Service-Communications SSL certificate of ADFS and WAP servers https://gallery.technet.microsoft.com/Update-the-Service-9e080ef8
This has to be used locally on all ADFS servers and WAP servers (it works on core mode as well). You need to be a member of the local administrator group of the server to run it (if not it will not let you go forward). Here is the syntax:
.\Update-ADFSSSLCertificate.ps1 -PfxPath .\MyCert.pfx
And for additional output:
.\Update-ADFSSSLCertificate.ps1 -PfxPath .\MyCert.pfx -ShowDetailMessages $true
Here is an example of the output on a ADFS server:
Here is an example of the output on a WAP server (the script detects the role automatically):
This script has to be executed on each node of the ADFS farm and WAP farm. Note that if your system has French local settings, the output will be in French 🙂