Replacing ADFS SSL Certificates

Categories: HowTo, Identity, Windows Server

Gone are the days where an admin could generate a 3/4/5-year SSL certificate for their ADFS deployments. Now you can look forward to this being an annual ritual (or every two years at best).

This blog post aims to help simplify the process by outlining the high-level steps that are required to provision and replace the certificate for your ADFS deployment.

Please Note: Renewal of token signing (TS) and token decryption (TD) certificates is a separate process and does not usually need to be performed at the same time that the ADFS certificate tied to the public FQDN is renewed. For more info, check out the links at the bottom.


  • What SSL certificate provider do you use?
  • What Server OS version are you running on your ADFS servers?
  • Which ADFS server is the ‘primary’ ADFS server?


  1. Generate the CSR from ADFS Primary server (review directions from certificate provider)
  2. Submit CSR to your SSL Certificate provider and create the certificate
  3. Download and Install certificate to the primary AD FS server
    Local Machine/Personal Store (allow private key to be exportable)
  4. Export certificate w/private key to .PFX file
  5. Copy and Import certificate (PFX file) to the
    Local Machine/Personal Store on each remaining AD FS and Web Application Proxy (WAP) server
  6. Replace the SSL certificate for AD FS
    1. From ADFS Primary server: 
      1. Identify certificate thumbprint (copy value)
        • (PowerShell) dir Cert:\LocalMachine\My\
      2. Assign the SSL Certificate to the AD FS service on each AD FS server (If using Windows Server 2016 assigns to all ADFS servers at same time)
        • (PowerShell) Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'
  7. Replace the SSL certificate for the Web Application Proxy
    1. From each Web Application Proxy server
      • (PowerShell) Set-WebApplicationProxySslCertificate '<thumbprint of new cert>'
  8. Confirm new certificate is operational
    1. Open a browser window, in the address bar type the federation server’s DNS host name, and then append /adfs/ls/IdpInitiatedSignon.aspx to it
    1. Click the certificate icon in the browser and confirm the subject name, dates of validity, SCT list (certificate transparency)


Here are some references for additional information: