Part 1 – Update Active Directory Federation Services 3.0 & Web Application Proxy (SSL) certificates

When using Active Directory Federation Services (ADFS) you’ll have to update or replace certificates at certain moment. This also applies to Web Application Proxy (WAP) server when using together with Active Directory Federation Services 3.0. In three blog posts I’ll explain how to updating Active Directory Federation Service (ADFS) and Web Application Proxy (WAP) certificates. In part 1 we’ll cover the update process of ADFS. Here you can read how.

Before starting make sure you’re using a Legacy Cryptographic Service Provider certificate template generating a Certificate Signing Request (CSR), which can be achieved by selecting a V1 template such as a Web Server Certificate template. This is mandatory as ADFS is not compatible with newer cryptographic technology known as Cryptographic Next Generation (CNG) certificates. This can also achieved by creating a CSR via Internet Information Services (IIS). Read this post of Gregg O’Brien (Microsoft PFE) for more background information on this.


Occasion for updating both ADFS and WAP certificates was because I was using self-signed certificates which caused me additional challenges. To overcome these challenges I started using a certificate issued by a public trusted certificate authority.

  • First, you‘ve to import the new certificate (complete with private key) into the Computer’s Personal store. When using ADFS in a farm configuration the certificate must be installed on all nodes within this farm.
  • Next, you’ll need the thumbprint of that certificate. Sure, you could copy it from the certificate details in the GUI, and delete all the spaces and convert all the letters to uppercase, but, since we’re going to need to be PowerShell anyway, we might as well use it to get the info we need:

Get-ChildItem -Path cert:\LocalMachine\My\ | select Subject, FriendlyName, Thumbprint | Format-List

  • You should get a nice, easy to read, list of the certs in the Computer’s Personal store. If the Subject or Friendly name are appropriately descriptive you should be find your cert. Copy the conveniently formatted Thumbprint.


  • As the Thumbprint of the new certificate is known you can start updating the ADFS certificates. There are three certificate in ADFS that must be updated namely; Service Communications-, Token-decrypting- and Token-signing certificate. For more information of ADFS certificate types see

#Update Service communications certificate

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint ‘FF2D1093C4ACD54583C6DC6AF722C54718AF7E24’

#Update Service communications certificate

Set-AdfsProperties -AutoCertificateRollover $false

Add-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint ‘FF2D1093C4ACD54583C6DC6AF722C54718AF7E24’

Add-AdfsCertificate -CertificateType Token-Signing -Thumbprint “FF2D1093C4ACD54583C6DC6AF722C54718AF7E24”

  • After completing the above steps you’ve updated the Service Communications certificate and added new Token-decrypting and Token-signing certificates


  • In order to remove the obsolete certificate(s) the added certificate(s) must set to primary

#Set new Token-decrypting and Token-signing certificate to primary

Set-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint “FF2D1093C4ACD54583C6DC6AF722C54718AF7E24” -IsPrimary

Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint “FF2D1093C4ACD54583C6DC6AF722C54718AF7E24” –IsPrimary

  • After set the new certificate to primary you can remove the obsolete Token-decrypting and Token-signing certificate(s)


#Remove obsolete Token-decrypting and Token-signing certificate(s)

Remove-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint “32E6BB1723F0FCED94590F04F05AC4529E6EE3DE”

Remove-AdfsCertificate -CertificateType Token-Signing -Thumbprint “32E6BB1723F0FCED94590F04F05AC4529E6EE3DE”

  • Validate if both obsolete Token-decrypting and Token-signing certificate(s) are removed


  • Now you’re almost good, just revert the AutoCertificateRollover and restart Active Directory Federation Service

#Revert AutoCertificateRollover and restart ADFS services

Set-AdfsProperties -AutoCertificateRollover $true

Restart-Service -DisplayName ‘Active Directory Federation Services’ -Force

Have a great weekend!

It's only fair to share...Tweet about this on TwitterShare on LinkedIn0Share on Google+0Share on Facebook0

Comments are closed.