Part 1 – Update Active Directory Federation Services 3.0 & Web Application Proxy (SSL) certificates
When using Active Directory Federation Services (ADFS) you’ll have to update or replace certificates at certain moment. This also applies to Web Application Proxy (WAP) server when using together with Active Directory Federation Services 3.0. In three blog posts I’ll explain how to updating Active Directory Federation Service (ADFS) and Web Application Proxy (WAP) certificates. In part 1 we’ll cover the update process of ADFS. Here you can read how.
- Part 1 – Update Active Directory Federation Service certificates
- Part 2 – Update Web Application Proxy SSL certificate(s)
- Part 3 – Update Web Application Proxy application certificate(s)
Before starting make sure you’re using a Legacy Cryptographic Service Provider certificate template generating a Certificate Signing Request (CSR), which can be achieved by selecting a V1 template such as a Web Server Certificate template. This is mandatory as ADFS is not compatible with newer cryptographic technology known as Cryptographic Next Generation (CNG) certificates. This can also achieved by creating a CSR via Internet Information Services (IIS). Read this post of Gregg O’Brien (Microsoft PFE) for more background information on this.
Occasion for updating both ADFS and WAP certificates was because I was using self-signed certificates which caused me additional challenges. To overcome these challenges I started using a certificate issued by a public trusted certificate authority.
- First, you‘ve to import the new certificate (complete with private key) into the Computer’s Personal store. When using ADFS in a farm configuration the certificate must be installed on all nodes within this farm.
- Next, you’ll need the thumbprint of that certificate. Sure, you could copy it from the certificate details in the GUI, and delete all the spaces and convert all the letters to uppercase, but, since we’re going to need to be PowerShell anyway, we might as well use it to get the info we need:
Get-ChildItem -Path cert:\LocalMachine\My\ | select Subject, FriendlyName, Thumbprint | Format-List
- You should get a nice, easy to read, list of the certs in the Computer’s Personal store. If the Subject or Friendly name are appropriately descriptive you should be find your cert. Copy the conveniently formatted Thumbprint.
- As the Thumbprint of the new certificate is known you can start updating the ADFS certificates. There are three certificate in ADFS that must be updated namely; Service Communications-, Token-decrypting- and Token-signing certificate. For more information of ADFS certificate types see http://technet.microsoft.com/en-us/library/dd807040.aspx
#Update Service communications certificate
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint ‘FF2D1093C4ACD54583C6DC6AF722C54718AF7E24’
#Update Service communications certificate
Set-AdfsProperties -AutoCertificateRollover $false
Add-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint ‘FF2D1093C4ACD54583C6DC6AF722C54718AF7E24’
Add-AdfsCertificate -CertificateType Token-Signing -Thumbprint “FF2D1093C4ACD54583C6DC6AF722C54718AF7E24”
- After completing the above steps you’ve updated the Service Communications certificate and added new Token-decrypting and Token-signing certificates
- In order to remove the obsolete certificate(s) the added certificate(s) must set to primary
#Set new Token-decrypting and Token-signing certificate to primary
Set-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint “FF2D1093C4ACD54583C6DC6AF722C54718AF7E24” -IsPrimary
Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint “FF2D1093C4ACD54583C6DC6AF722C54718AF7E24” –IsPrimary
- After set the new certificate to primary you can remove the obsolete Token-decrypting and Token-signing certificate(s)
#Remove obsolete Token-decrypting and Token-signing certificate(s)
Remove-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint “32E6BB1723F0FCED94590F04F05AC4529E6EE3DE”
Remove-AdfsCertificate -CertificateType Token-Signing -Thumbprint “32E6BB1723F0FCED94590F04F05AC4529E6EE3DE”
- Validate if both obsolete Token-decrypting and Token-signing certificate(s) are removed
- Now you’re almost good, just revert the AutoCertificateRollover and restart Active Directory Federation Service
#Revert AutoCertificateRollover and restart ADFS services
Set-AdfsProperties -AutoCertificateRollover $true
Restart-Service -DisplayName ‘Active Directory Federation Services’ -Force
Have a great weekend!