Part 2 – Update Active Directory Federation Services 3.0 & Web Application Proxy (SSL) certificates
This blog series explains how updating Active Directory Federation Service (ADFS) and Web Application Proxy (WAP) certificates. In part 1 we covered the update process of ADFS certificates. In part 2 we’ll cover the process of updating Web Application Proxy (WAP) certificates.
- Part 1 – Update Active Directory Federation Service certificates
- Part 2 – Update Web Application Proxy SSL certificates
- Part 3 – Update Web Application Proxy application certificate(s)
Here you can read how.
- First, you‘ve to import the new certificate (complete with private key) into the Computer’s Personal store. When using WAP in a NLB configuration the certificate must be installed on all nodes within this NLB cluster
- Next, you’ll need the thumbprint of that certificate. Sure, you could copy it from the certificate details in the GUI, and delete all the spaces and convert all the letters to uppercase, but, since we’re going to need to be PowerShell anyway, we might as well use it to get the info we need:
Get-ChildItem -Path cert:\LocalMachine\My\ | select Subject, FriendlyName, Thumbprint | Format-List
- You should get a nice, easy to read, list of the certs in the Computer’s Personal store. If the Subject or Friendly name are appropriately descriptive you should be find your cert. Copy the conveniently formatted Thumbprint
- During the initial setup of WAP the ADFS certificate was binded to the http.sys kernel mode driver that handles HTTP requests. Due to the limited tasks WAP GUI provides you, your best friend here is PowerShell! First you’ve to retrieve the Web Application Proxy SSL certificate thumbprint
- As we know the obsolete Web Application Proxy SSL certificate we can update it with the new certificate issued by a public trusted certificate authority
Set-WebApplicationProxySslCertificate -Thumbprint FF2D1093C4ACD54583C6DC6AF722C54718AF7E24
- After updating the Web Application Proxy SSL certificate validate if the update was completed succesfully and the new certificate is binded to http.sys kernel driver
- For completeness restart both Web Application Proxy- and Web Application Proxy Controller Services and you’re good to go!
Restart-Service -DisplayName ‘Web Application Proxy Controller Service’ –Force
In the last part (3) of this blog series we’ll cover the update process of updating certificates used by your web applications, published by Web Application Proxy server.