How to renew or replace SSL Certificate on ADFS 2.0 Servers.

AmitIT Architect
CERTIFIED EXPERT
If you need my quick help, raise the ticket with highest priority.
Published:
Updated:
Recently, I got a chance to renew certificates on Active Directory Federation Services (ADFS) servers. I read lot of articles, but doing it in production is totally different. Hence, I am sharing all steps; I performed to successfully renew/replace the Service Communications, Token-Signing, and Token-Decrypting Certificates.

I had four ADFS servers: Two ADFS Proxy in the DMZ and Two ADFS Main Server in a farm with a SQL back-end database.

Step 1. Request New Certificate.
  • Generate a new certificate request with same primary key from Primary ADFS Server in your farm. You can use IIS or Certificate snap-in to generate the new certificate request.

    Note:  You also need root and intermediate certificate.
Step 2. Import New Certificate in Certificate Store.
  • Import New Certificate into Certificate Store on ADFS Primary server with Private Key.
  • Launch MMC>File>Add/Remove Snap-in>Certificates>Add>Computer Account>Local Computer>Finish.
  • Browse to Personal Store and import the certificate.
    1
  • Right Click on new certificate > All Tasks>Manage Private Keys > Add ADFS Service Account > Give Read Permission.
    2
  • Browse to Intermediate Certificate Store and import intermediate certificate.
  • Browse to Trusted Root and import root certificate.
  • Now Export Certificate with Private Key and import on other ADFS Server. 3Note: Make sure to add Service account permission on all ADFS server. Not required for ADFS Proxy.
Step 3. Apply new Certificate in ADFS snap-in.
  • Login to Primary ADFS Server.
  • Launch ADFS Snap-in>Browse to Service>Certificates.
    4
  • Under Certificate Snap-in Change Service Communication, Token-decrypting and Token-Signing Certificate to new certificate.
    5
  • Set new certificate as primary by right click on new certificate. You need to set this only for Token-decrypting and Token-Signing.
    9
  • Restart ADFS Services on Primary ADFS Server and then on all ADFS Servers.

    Note: You need to change certificate on primary ADFS server only. Rest server will sync automatically. No action required on other ADFS servers including ADFS Proxy.
Step 4. Change Certificate Binding in IIS.
  • Launch IIS snap-in on all ADFS server one by one
  • Right Click Default Web Site and Select Edit Binding.
    7
  • Select HTTPS/443 and click edit > Select New Certificate>Click Ok
    8
  • Close IIS and Launch CMD as administrator
  • Type IISReset and hit enter.
  • Repeat above steps on all ADFS servers.
Step 5. Send Certificate update to Relying Parties.
  • If Relying Parties is using Metadata URL. Ask them to update again.
  • If Relying Parties is using SSL Certificate. Send them the certificate.

    Note: You need to communicate to Relying Parties well in advance and change need to be performed at same time. Both at your end and RP end. Failing to which will lead to application outage.
Step 6. Post implementation test.
  • As ADFS Admin use IDP URL to test.
  • Ask Relying Parties Vendor and Application owners to also test using SP provided URL.
I hope this will help lot of ADFS admins.
4
24,750 Views
AmitIT Architect
CERTIFIED EXPERT
If you need my quick help, raise the ticket with highest priority.

Comments (4)

CERTIFIED EXPERT

Commented:
Hi Amit, thanks for posting your article, would like to recommend small update to include mention that these instructions relate to AD FS 2.0 (I don't see it mentioned). 2012R2 no longer uses IIS or the same kind of ADFS proxies. Thankyou for sharing, this is one of those technologies that often floats into "I don't want to know" territory (a little like PKI) for many sysadmins. Cheers! Alicia.
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
I updated the title. Hope that will be helpful. Thanks for reading my article.
Very useful indeed, thank you very much for your efforts to create this detailed guide.
Appreciated!
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Author

Commented:
Thanks for appreciating my efforts.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community