Replace certificates on ADFS 3.0


In my test environment I wanted to replace self-signed certificates with publicly trusted ones.

Follow these steps if you want to achieve the same:

  • RDP to your ADFS 3.0 server
  • Import the new certificate to the Machine’s Personal Store
  • Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key,

image

  • Assign the proper permissions to the Private Key for the ADFS Managed Service Account:

image

  • Make sure to select “Service Accounts” in when searching for the account.

image

  • Now switch to AD FS management, drill down to Certificates and select “Set Service Communication Certificate”

image

  • You will be prompted for the required certificate. If you don’t see the new certificate in the list of available certificates – it means you either don’t have the private key that corresponds to this certificate OR you didn’t import the cert correctly.

(next commands have to be done too – thanks Jaguar who mentioned this in a comment)

  • Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
    • If it's unclear which certificate is new, open MMC snappin, locate the new certificate and scroll down in the list of properties to see the thumbprint.

  • Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).
  • Restart the ADFS service

Optionally when using Web Application Proxy(s):

  • Copy and import the new certificate to the Web Application Proxy/Proxies which are not domain joined. Make sure the certificate is imported into the Machine Personal Store.
  • Switch the certificate on the Web Application Proxy, I personally did this by reinstalling the Web Application Proxy (requires a reboot) but it’s much easier to use the “Set-WebApplicationProxySslCertificate” cmdlet.

Consider leaving a reply in case this post helped you. Thanks!


Comments (35)

  1. Anonymous says:

    Thanks so much for the rebinding commands. Why aren’t those in the official docs?!

    1. Ger Voeten says:

      But it is in the docs !! You only have to take some time to read it. Remember it’s not any different from any webapp you’re publishing. So no worry it says intune, the actions are the same !
      Look here :
      https://technet.microsoft.com/nl-nl/library/dn781428(v=ws.11).aspx

  2. Oh what a lovely post. Many thanks. I am still stuck.
    I had a publicly trusted wildcard cert for my domain (it worked for OWA, SharePoint, OA, and I could also use it for ADFS and WAP. Brilliant. BUT when I got to device registration I found I need a SAN on the certificate called entrepriseregistration.mydomain.com.

    Since my cert comes from Godaddy, I can’t have SAN on a wildcard cert, so I will have to use a UCC SAN cert instead.

    Before I rekey a certificate, are there any other SANS I need (apart from SIP, OWA, EDGE, MAIL, AUTODISCOVER, ENTERPRISEREGISTRATION… ?

    1. Mylo says:

      I’d also consider certauth.adfs.mydomain.com (where adfs.mydomain.com is your ordinary federation service URL) .. that also covers scenarios for AD FS as an enrollment (CA) agent in Windows Server 2016 ..

  3. Jaguar says:

    As part of our deployment of ADFS 3.0 (to replace our ADFS 1.1), we had to replace the first SSL certificate that we cut. After doing the usual process (including replacing it in the ADFS console), our federation proxies could not talk to the internals. Neither could my workstation using a hosts file to communicate directly to one of the internal FS servers. Looking at the ADFS Admin log (or the Debug log), it showed a yellow on a thumbprint that it could not find. This is what we had to do:

    1. Get the thumbprint of the replacement SSL cert.

    2. Copy it to notepad and remove the spaces.

    3. Open powershell on one of the FS servers.

    4. Run Get-AdfsSslCertificate. This showed the thumbprint still "stuck" in ADFS, the old one.

    5. Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).

    6. Restart the ADFS service on both internal FS servers and all was well again.

    Sounds like a bug to me. Regards,

  4. Jaguar says:

    Not a bug. Since there is no IIS, that step has been replaced with Powershell, you have to do something similar on the Proxies as well. In addition, we ran into the following:

    1. We used our current code signing certificate from Digicert for the new system – and used it for the token decryption certificate.

    2. Our testing showed that WIA worked but FBA did not – the web form simply refreshed at login. A yellow warning appeared in the log about discarding corrupt cookie.

    3. After 3.5 days with our MCS engineer and PSS top level support, the issue was that the code signing cert did not have key usage/enhanced key usage terminology required for the token decryption cert.

    4. We generated a self signed cert with the proper terminology and the issue was resolved.

  5. Martin says:

    Jaguar, great stuff! Saved me a huge headache. Running your commands fixed my issue. Massive thanks!

  6. Matthieu says:

    Thanks Jaguar, the blog post is incomplete indeed, I had to run your Set-AdfsSslCertificate command to complete the configuration.

  7. Scott says:

    Just had to do this and it’s saved me so many problems – you sir are a star!

  8. alex says:

    Thx a lot, worked!

  9. Paul D says:

    Many thanks for this article, saved me a lot of headaches trying to figure out the cert updating process.

  10. Tim M says:

    Understood that it isn’t a bug but Microsoft has the ability to program that process into the GUI. One shouldn’t require searching in a blog to resolve a problem that Microsoft pragmatically didn’t or neglected to do. If the web service is built into ADFS
    then the ADFS console or PowerShell cmdlets should complete the configuration wholly not partially causing hours of support. (I guess one assumes that "SET" means set.)

  11. Scott R. says:

    I just went through a ADFS Farm Name change and ran into a issue where the old SSL Certs were still showing in the command Get-AdfsSslCertificate

    This caused ADFS to return a Unauthorized Error if I tried to issue a token under the new farm name, but using the old farm name would still work (Invoke-WebRequest : The remote server returned an error: (401) Unauthorized.).

    I had to go into netsh http and delete the old SSL bindings from each ADFS Server using the following command:
    netsh http delete sslcert hostnameport={oldname}:49443
    netsh http delete sslcert hostnameport={oldname}:443

    Also shout out to ADFS Team for their ADFSDiagnostics module! (https://gallery.technet.microsoft.com/scriptcenter/AD-FS-Diagnostics-Module-8269de31) The PowerShell
    Test-AdfsServerToken cmdlet is awesome.

  12. Casper says:

    Saved my day. Thank you

  13. Sean B. says:

    thanks to all who contributed to this and especially Scott R. the netsh commands did the trick to get the cert back in and functioning.

    One other thing to note in my cases when copying the SetAdfsSslCertificate command from Notepad into my PS window there was a little garbage character ahead of the thumbprint that was causing the command to fail….didn’t see it the first 2 times I tried…darn
    surface 2 small screen and tired eyes!

  14. Meera says:

    Just used this article and it was helpful. Thank You.

  15. Victor Lopes says:

    Thank you so much!

    If the "Get-AdfsSslCertificate" shows only the old certificate, get the thumbprint of the new certificate using mmc’s Certificates snap-in, and then use it with the "Set-AdfsSslCertificate -Thumbprint" command.

  16. Mark Ringo says:

    How does the new SSL certificate get installed onto the other ADFS 3.0 servers in the ADFS farm? I have a primary ADFS server and a secondary in NLB. Typically ADFS changes occur on the primary and those changes get synced to the secondary. I have imported
    the renewed certificate on the primary and it is working properly but the secondary is not receiving this configuration. I have imported the SSL certificate into the machine MY store on the secondary and I have assigned permission to the service account. The
    problem is that I am unable to issue PowerShell commands to install this certificate because it is the secondary and will not perform the commands.

  17. danny says:

    GREAT! That stupid Set-ADFSSslCertificate command needed to be run as well… THANKS it’s a life saver

  18. Jimmy Stewart says:

    I have the same question as Mark Ringo, if running ADFS in a load balance state, how do we get the non-primary ADFS server to use the new SSL Cert? Would love hearing if someone has a solution. Great article for ADFS servers, would recommend updating with
    ADFS Proxy method as well, would be helpful to get this all in one place.

  19. chase h. says:

    muchas gracias! Set-AdfsSslCertificate is what I needed to resolve System Event Log being rampaged by Error 15021.

  20. Egert V says:

    Anyone has an answer to Mark Ringo’s and Jimmy Stewart question? I have 3 ADFS server and 3 Proxies and would be great to know what is the recommended procedure for updating SSL cert in the secondary servers.

  21. Lee M says:

    Egert +1

  22. Egert V says:

    In case anyone still need an answer for how to update the certs on the secondary ADFS servers.

    Set-ADFSSslCertificate command needs to be run on ALL ADFS servers !!!!!!

  23. Egert V says:

    In case anyone still need an answer for how to update the certs on the secondary ADFS servers.

    Set-ADFSSslCertificate command needs to be run on ALL ADFS servers !!!!!!

  24. Jeromy B says:

    Get-ChildItem -path cert:LocalMachineMy

    Will return a Thumbprint that you will not have to edit spaces out of.

  25. Dan_IT says:

    just tried this, but it didn’t automatically update the SSL cert on the IIS site of my ADFS server – I’ve manually updated that to the new cert

  26. Rob says:

    Thanks to everyone that contributed to this post, it saved me a lot of work! However, my configuration was still not working until I did this:
    http://blogs.technet.com/b/rmilne/archive/2015/04/20/adfs-2012-r2-web-application-proxy-_2d00_-re_2d00_establish-proxy-trust.aspx
    Once the trust was re-established everything turned green!

  27. Brandon C says:

    If Mark Ringo is still looking for an answer, the best thing to do is temporarily change your secondary ADFS server to primary:

    Set-AdfsSyncProperties -Role PrimaryComputer

    Once you’re done, change it back to a secondary server:
    Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of your ADFS primary server}

    1. Homer says:

      I ran into a similar scenario as Mark Ringo I believe. I was replacing the expired certificate in a 3 server farm and think I stopped the ADFS service on the secondary service before just in the event that things went south…… upon startup now the secondary ADFS service fails with error about a cert being expired or revoked (the old one). Get-adfssync status shows it not having sync’d with the primary in a few months now. I am hoping these steps to change it to primary, update the certificate, and change it back should resolve the issue. Once it can start again using the new certificate it should be able to talk to the primary to get all the changes that have been made and get back in sync.

  28. Manfred Pohlemann says:

    Hi and thanks so far,

    maybe you can add a link to this article concerning re-establishing Proxy trust:
    https://blogs.technet.microsoft.com/rmilne/2015/04/20/adfs-2012-r2-web-application-proxy-re-establish-proxy-trust/

    or just add the important PowerShell lines:
    on WAP:
    Install-WebApplicationProxy –CertificateThumprint 3EFF626CD4CAECDB6F84DB5FB4FCF580ACF629E2 -FederationServiceName adfs.tailspintoys.ca

    Thanks again

  29. AntonH says:

    If you’re using WEP in pass-through mode execute the following command to replace the certificate on all published sites.

    Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint

  30. James says:

    Thank you

  31. Jeroen de Bonte says:

    Thanks Pieter!

Skip to main content