Replacing ADFS SSL Certificates
Date: May 8, 2019
Gone are the days where an admin could generate a 3/4/5-year SSL certificate for their ADFS deployments. Now you can look forward to this being an annual ritual (or every two years at best).
This blog post aims to help simplify the process by outlining the high-level steps that are required to provision and replace the certificate for your ADFS deployment.
Please Note: Renewal of token signing (TS) and token decryption (TD) certificates is a separate process and does not usually need to be performed at the same time that the ADFS certificate tied to the public FQDN is renewed. For more info, check out the links at the bottom.
Planning/considerations
- What SSL certificate provider do you use?
- What Server OS version are you running on your ADFS servers?
- Which ADFS server is the ‘primary’ ADFS server?
Checklist
- Generate the CSR from ADFS Primary server (review directions from certificate provider)
- Tip: DigiCert Certificate Utility makes this, and several of the other steps below, much less of a chore
- Submit CSR to your SSL Certificate provider and create the certificate
- Tip: enable Certificate Transparency (CT logging) or you’ll have to start all over again.
- Download and Install certificate to the primary AD FS server
Local Machine/Personal Store (allow private key to be exportable) - Export certificate w/private key to .PFX file
- Copy and Import certificate (PFX file) to the
Local Machine/Personal Store on each remaining AD FS and Web Application Proxy (WAP) server - Replace the SSL certificate for AD FS
- From ADFS Primary server:
- Identify certificate thumbprint (copy value)
- (PowerShell)
dir Cert:\LocalMachine\My\
- (PowerShell)
- Assign the SSL Certificate to the AD FS service on each AD FS server (If using Windows Server 2016 assigns to all ADFS servers at same time)
- (PowerShell)
Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'
- (PowerShell)
- Identify certificate thumbprint (copy value)
- From ADFS Primary server:
- Replace the SSL certificate for the Web Application Proxy
- From each Web Application Proxy server
- (PowerShell)
Set-WebApplicationProxySslCertificate '<thumbprint of new cert>'
- (PowerShell)
- From each Web Application Proxy server
- Confirm new certificate is operational
- Open a browser window, in the address bar type the federation server’s DNS host name, and then append /adfs/ls/IdpInitiatedSignon.aspx to it
- Click the certificate icon in the browser and confirm the subject name, dates of validity, SCT list (certificate transparency)
References
Here are some references for additional information:
- Managing SSL Certificates in AD FS and WAP in Windows Server 2016
- Microsoft AD FS: Create CSR and Install SSL Certificate (DigiCert Utility)
- Update the SSL certificate for an Active Directory Federation Services (AD FS) farm
- AD FS Requirements
- AD FS Troubleshooting – Certificates
- Certificate Requirements for Federation Servers
- Obtain and Configure TS and TD Certificates for AD FS
- Renew federation certificates for Office 365 and Azure Active Directory