Replace certificates on ADFS 3.0


In my test environment I wanted to replace self-signed certificates with publicly trusted ones.

Follow these steps if you want to achieve the same:

  • RDP to your ADFS 3.0 server
  • Import the new certificate to the Machine’s Personal Store
  • Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key,

image

  • Assign the proper permissions to the Private Key for the ADFS Managed Service Account:

image

  • Make sure to select “Service Accounts” in when searching for the account.

image

  • Now switch to AD FS management, drill down to Certificates and select “Set Service Communication Certificate”

image

  • You will be prompted for the required certificate. If you don’t see the new certificate in the list of available certificates – it means you either don’t have the private key that corresponds to this certificate OR you didn’t import the cert correctly.

(next commands have to be done too – thanks Jaguar who mentioned this in a comment)

  • Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
    • If it's unclear which certificate is new, open MMC snappin, locate the new certificate and scroll down in the list of properties to see the thumbprint.

  • Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).
  • Restart the ADFS service

Optionally when using Web Application Proxy(s):

  • Copy and import the new certificate to the Web Application Proxy/Proxies which are not domain joined. Make sure the certificate is imported into the Machine Personal Store.
  • Switch the certificate on the Web Application Proxy, I personally did this by reinstalling the Web Application Proxy (requires a reboot) but it’s much easier to use the “Set-WebApplicationProxySslCertificate” cmdlet.

Consider leaving a reply in case this post helped you. Thanks!


Comments (29)

  1. Anonymous says:

    Thanks so much for the rebinding commands. Why aren’t those in the official docs?!

  2. Oh what a lovely post. Many thanks. I am still stuck.
    I had a publicly trusted wildcard cert for my domain (it worked for OWA, SharePoint, OA, and I could also use it for ADFS and WAP. Brilliant. BUT when I got to device registration I found I need a SAN on the certificate called entrepriseregistration.mydomain.com.

    Since my cert comes from Godaddy, I can’t have SAN on a wildcard cert, so I will have to use a UCC SAN cert instead.

    Before I rekey a certificate, are there any other SANS I need (apart from SIP, OWA, EDGE, MAIL, AUTODISCOVER, ENTERPRISEREGISTRATION… ?

  3. Jaguar says:

    As part of our deployment of ADFS 3.0 (to replace our ADFS 1.1), we had to replace the first SSL certificate that we cut. After doing the usual process (including replacing it in the ADFS console), our federation proxies could not talk to the internals. Neither could my workstation using a hosts file to communicate directly to one of the internal FS servers. Looking at the ADFS Admin log (or the Debug log), it showed a yellow on a thumbprint that it could not find. This is what we had to do:

    1. Get the thumbprint of the replacement SSL cert.

    2. Copy it to notepad and remove the spaces.

    3. Open powershell on one of the FS servers.

    4. Run Get-AdfsSslCertificate. This showed the thumbprint still "stuck" in ADFS, the old one.

    5. Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).

    6. Restart the ADFS service on both internal FS servers and all was well again.

    Sounds like a bug to me. Regards,

  4. Jaguar says:

    Not a bug. Since there is no IIS, that step has been replaced with Powershell, you have to do something similar on the Proxies as well. In addition, we ran into the following:

    1. We used our current code signing certificate from Digicert for the new system – and used it for the token decryption certificate.

    2. Our testing showed that WIA worked but FBA did not – the web form simply refreshed at login. A yellow warning appeared in the log about discarding corrupt cookie.

    3. After 3.5 days with our MCS engineer and PSS top level support, the issue was that the code signing cert did not have key usage/enhanced key usage terminology required for the token decryption cert.

    4. We generated a self signed cert with the proper terminology and the issue was resolved.

  5. Martin says:

    Jaguar, great stuff! Saved me a huge headache. Running your commands fixed my issue. Massive thanks!

  6. Matthieu says:

    Thanks Jaguar, the blog post is incomplete indeed, I had to run your Set-AdfsSslCertificate command to complete the configuration.

  7. Scott says:

    Just had to do this and it’s saved me so many problems – you sir are a star!

  8. alex says:

    Thx a lot, worked!

  9. Paul D says:

    Many thanks for this article, saved me a lot of headaches trying to figure out the cert updating process.

  10. Tim M says:

    Understood that it isn’t a bug but Microsoft has the ability to program that process into the GUI. One shouldn’t require searching in a blog to resolve a problem that Microsoft pragmatically didn’t or neglected to do. If the web service is built into ADFS
    then the ADFS console or PowerShell cmdlets should complete the configuration wholly not partially causing hours of support. (I guess one assumes that "SET" means set.)

  11. Scott R. says:

    I just went through a ADFS Farm Name change and ran into a issue where the old SSL Certs were still showing in the command Get-AdfsSslCertificate

    This caused ADFS to return a Unauthorized Error if I tried to issue a token under the new farm name, but using the old farm name would still work (Invoke-WebRequest : The remote server returned an error: (401) Unauthorized.).

    I had to go into netsh http and delete the old SSL bindings from each ADFS Server using the following command:
    netsh http delete sslcert hostnameport={oldname}:49443
    netsh http delete sslcert hostnameport={oldname}:443

    Also shout out to ADFS Team for their ADFSDiagnostics module! (https://gallery.technet.microsoft.com/scriptcenter/AD-FS-Diagnostics-Module-8269de31) The PowerShell
    Test-AdfsServerToken cmdlet is awesome.

  12. Casper says:

    Saved my day. Thank you

  13. Sean B. says:

    thanks to all who contributed to this and especially Scott R. the netsh commands did the trick to get the cert back in and functioning.

    One other thing to note in my cases when copying the SetAdfsSslCertificate command from Notepad into my PS window there was a little garbage character ahead of the thumbprint that was causing the command to fail….didn’t see it the first 2 times I tried…darn
    surface 2 small screen and tired eyes!

  14. Anonymous says:

    My role has previously primarily focused on Microsoft Intune, nowadays it’s more towards our whole Enterprise

  15. Meera says:

    Just used this article and it was helpful. Thank You.

  16. Victor Lopes says:

    Thank you so much!

    If the "Get-AdfsSslCertificate" shows only the old certificate, get the thumbprint of the new certificate using mmc’s Certificates snap-in, and then use it with the "Set-AdfsSslCertificate -Thumbprint" command.

  17. Mark Ringo says:

    How does the new SSL certificate get installed onto the other ADFS 3.0 servers in the ADFS farm? I have a primary ADFS server and a secondary in NLB. Typically ADFS changes occur on the primary and those changes get synced to the secondary. I have imported
    the renewed certificate on the primary and it is working properly but the secondary is not receiving this configuration. I have imported the SSL certificate into the machine MY store on the secondary and I have assigned permission to the service account. The
    problem is that I am unable to issue PowerShell commands to install this certificate because it is the secondary and will not perform the commands.

  18. danny says:

    GREAT! That stupid Set-ADFSSslCertificate command needed to be run as well… THANKS it’s a life saver

  19. Jimmy Stewart says:

    I have the same question as Mark Ringo, if running ADFS in a load balance state, how do we get the non-primary ADFS server to use the new SSL Cert? Would love hearing if someone has a solution. Great article for ADFS servers, would recommend updating with
    ADFS Proxy method as well, would be helpful to get this all in one place.

  20. chase h. says:

    muchas gracias! Set-AdfsSslCertificate is what I needed to resolve System Event Log being rampaged by Error 15021.

  21. Egert V says:

    Anyone has an answer to Mark Ringo’s and Jimmy Stewart question? I have 3 ADFS server and 3 Proxies and would be great to know what is the recommended procedure for updating SSL cert in the secondary servers.

  22. Lee M says:

    Egert +1

  23. Egert V says:

    In case anyone still need an answer for how to update the certs on the secondary ADFS servers.

    Set-ADFSSslCertificate command needs to be run on ALL ADFS servers !!!!!!

  24. Egert V says:

    In case anyone still need an answer for how to update the certs on the secondary ADFS servers.

    Set-ADFSSslCertificate command needs to be run on ALL ADFS servers !!!!!!

  25. Jeromy B says:

    Get-ChildItem -path cert:LocalMachineMy

    Will return a Thumbprint that you will not have to edit spaces out of.

  26. Dan_IT says:

    just tried this, but it didn’t automatically update the SSL cert on the IIS site of my ADFS server – I’ve manually updated that to the new cert

  27. Rob says:

    Thanks to everyone that contributed to this post, it saved me a lot of work! However, my configuration was still not working until I did this:
    http://blogs.technet.com/b/rmilne/archive/2015/04/20/adfs-2012-r2-web-application-proxy-_2d00_-re_2d00_establish-proxy-trust.aspx
    Once the trust was re-established everything turned green!

  28. Brandon C says:

    If Mark Ringo is still looking for an answer, the best thing to do is temporarily change your secondary ADFS server to primary:

    Set-AdfsSyncProperties -Role PrimaryComputer

    Once you’re done, change it back to a secondary server:
    Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of your ADFS primary server}