Replace certificates on ADFS 3.0

In my test environment I wanted to replace self-signed certificates with publicly trusted ones.

Follow these steps if you want to achieve the same:

  • RDP to your ADFS 3.0 server
  • Import the new certificate to the Machine’s Personal Store
  • Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key,

image

  • Assign the proper permissions to the Private Key for the ADFS Managed Service Account:

image

  • Make sure to select “Service Accounts” in when searching for the account.

image

  • Now switch to AD FS management, drill down to Certificates and select “Set Service Communication Certificate”

image

  • You will be prompted for the required certificate. If you don’t see the new certificate in the list of available certificates – it means you either don’t have the private key that corresponds to this certificate OR you didn’t import the cert correctly.

(next commands have to be done too - thanks Jaguar who mentioned this in a comment)

  • Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
    • If it's unclear which certificate is new, open MMC snappin, locate the new certificate and scroll down in the list of properties to see the thumbprint.
  • Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).
  • Restart the ADFS service

Optionally when using Web Application Proxy(s):

  • Copy and import the new certificate to the Web Application Proxy/Proxies which are not domain joined. Make sure the certificate is imported into the Machine Personal Store.
  • Switch the certificate on the Web Application Proxy, I personally did this by reinstalling the Web Application Proxy (requires a reboot) but it’s much easier to use the “Set-WebApplicationProxySslCertificate” cmdlet.

Consider leaving a reply in case this post helped you. Thanks!