How to renew or replace SSL Certificate on ADFS 2.0 Servers.

Published on
17,184 Points
4 Endorsements
Last Modified:
If you need my quick help, raise the ticket with highest priority.
Recently, I got a chance to renew certificates on Active Directory Federation Services (ADFS) servers. I read lot of articles, but doing it in production is totally different. Hence, I am sharing all steps; I performed to successfully renew/replace the Service Communications, Token-Signing, and Token-Decrypting Certificates.

I had four ADFS servers: Two ADFS Proxy in the DMZ and Two ADFS Main Server in a farm with a SQL back-end database.

Step 1. Request New Certificate.
  • Generate a new certificate request with same primary key from Primary ADFS Server in your farm. You can use IIS or Certificate snap-in to generate the new certificate request.

    Note:  You also need root and intermediate certificate.
Step 2. Import New Certificate in Certificate Store.
  • Import New Certificate into Certificate Store on ADFS Primary server with Private Key.
  • Launch MMC>File>Add/Remove Snap-in>Certificates>Add>Computer Account>Local Computer>Finish.
  • Browse to Personal Store and import the certificate.
  • Right Click on new certificate > All Tasks>Manage Private Keys > Add ADFS Service Account > Give Read Permission.
  • Browse to Intermediate Certificate Store and import intermediate certificate.
  • Browse to Trusted Root and import root certificate.
  • Now Export Certificate with Private Key and import on other ADFS Server. 3Note: Make sure to add Service account permission on all ADFS server. Not required for ADFS Proxy.
Step 3. Apply new Certificate in ADFS snap-in.
  • Login to Primary ADFS Server.
  • Launch ADFS Snap-in>Browse to Service>Certificates.
  • Under Certificate Snap-in Change Service Communication, Token-decrypting and Token-Signing Certificate to new certificate.
  • Set new certificate as primary by right click on new certificate. You need to set this only for Token-decrypting and Token-Signing.
  • Restart ADFS Services on Primary ADFS Server and then on all ADFS Servers.

    Note: You need to change certificate on primary ADFS server only. Rest server will sync automatically. No action required on other ADFS servers including ADFS Proxy.
Step 4. Change Certificate Binding in IIS.
  • Launch IIS snap-in on all ADFS server one by one
  • Right Click Default Web Site and Select Edit Binding.
  • Select HTTPS/443 and click edit > Select New Certificate>Click Ok
  • Close IIS and Launch CMD as administrator
  • Type IISReset and hit enter.
  • Repeat above steps on all ADFS servers.
Step 5. Send Certificate update to Relying Parties.
  • If Relying Parties is using Metadata URL. Ask them to update again.
  • If Relying Parties is using SSL Certificate. Send them the certificate.

    Note: You need to communicate to Relying Parties well in advance and change need to be performed at same time. Both at your end and RP end. Failing to which will lead to application outage.
Step 6. Post implementation test.
  • As ADFS Admin use IDP URL to test.
  • Ask Relying Parties Vendor and Application owners to also test using SP provided URL.
I hope this will help lot of ADFS admins.
  • 2
LVL 14

Expert Comment

Hi Amit, thanks for posting your article, would like to recommend small update to include mention that these instructions relate to AD FS 2.0 (I don't see it mentioned). 2012R2 no longer uses IIS or the same kind of ADFS proxies. Thankyou for sharing, this is one of those technologies that often floats into "I don't want to know" territory (a little like PKI) for many sysadmins. Cheers! Alicia.
LVL 45

Author Comment

I updated the title. Hope that will be helpful. Thanks for reading my article.

Expert Comment

by:Dimitar Atanasov
Very useful indeed, thank you very much for your efforts to create this detailed guide.
LVL 45

Author Comment

Thanks for appreciating my efforts.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Join & Write a Comment

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month