[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


How to renew or replace SSL Certificate on ADFS 2.0 Servers.

Published on
19,496 Points
4 Endorsements
Last Modified:
If you need my quick help, raise the ticket with highest priority.
Recently, I got a chance to renew certificates on Active Directory Federation Services (ADFS) servers. I read lot of articles, but doing it in production is totally different. Hence, I am sharing all steps; I performed to successfully renew/replace the Service Communications, Token-Signing, and Token-Decrypting Certificates.

I had four ADFS servers: Two ADFS Proxy in the DMZ and Two ADFS Main Server in a farm with a SQL back-end database.

Step 1. Request New Certificate.
  • Generate a new certificate request with same primary key from Primary ADFS Server in your farm. You can use IIS or Certificate snap-in to generate the new certificate request.

    Note:  You also need root and intermediate certificate.
Step 2. Import New Certificate in Certificate Store.
  • Import New Certificate into Certificate Store on ADFS Primary server with Private Key.
  • Launch MMC>File>Add/Remove Snap-in>Certificates>Add>Computer Account>Local Computer>Finish.
  • Browse to Personal Store and import the certificate.
  • Right Click on new certificate > All Tasks>Manage Private Keys > Add ADFS Service Account > Give Read Permission.
  • Browse to Intermediate Certificate Store and import intermediate certificate.
  • Browse to Trusted Root and import root certificate.
  • Now Export Certificate with Private Key and import on other ADFS Server. 3Note: Make sure to add Service account permission on all ADFS server. Not required for ADFS Proxy.
Step 3. Apply new Certificate in ADFS snap-in.
  • Login to Primary ADFS Server.
  • Launch ADFS Snap-in>Browse to Service>Certificates.
  • Under Certificate Snap-in Change Service Communication, Token-decrypting and Token-Signing Certificate to new certificate.
  • Set new certificate as primary by right click on new certificate. You need to set this only for Token-decrypting and Token-Signing.
  • Restart ADFS Services on Primary ADFS Server and then on all ADFS Servers.

    Note: You need to change certificate on primary ADFS server only. Rest server will sync automatically. No action required on other ADFS servers including ADFS Proxy.
Step 4. Change Certificate Binding in IIS.
  • Launch IIS snap-in on all ADFS server one by one
  • Right Click Default Web Site and Select Edit Binding.
  • Select HTTPS/443 and click edit > Select New Certificate>Click Ok
  • Close IIS and Launch CMD as administrator
  • Type IISReset and hit enter.
  • Repeat above steps on all ADFS servers.
Step 5. Send Certificate update to Relying Parties.
  • If Relying Parties is using Metadata URL. Ask them to update again.
  • If Relying Parties is using SSL Certificate. Send them the certificate.

    Note: You need to communicate to Relying Parties well in advance and change need to be performed at same time. Both at your end and RP end. Failing to which will lead to application outage.
Step 6. Post implementation test.
  • As ADFS Admin use IDP URL to test.
  • Ask Relying Parties Vendor and Application owners to also test using SP provided URL.
I hope this will help lot of ADFS admins.
  • 2
LVL 14

Expert Comment

Hi Amit, thanks for posting your article, would like to recommend small update to include mention that these instructions relate to AD FS 2.0 (I don't see it mentioned). 2012R2 no longer uses IIS or the same kind of ADFS proxies. Thankyou for sharing, this is one of those technologies that often floats into "I don't want to know" territory (a little like PKI) for many sysadmins. Cheers! Alicia.
LVL 46

Author Comment

I updated the title. Hope that will be helpful. Thanks for reading my article.

Expert Comment

by:Dimitar Atanasov
Very useful indeed, thank you very much for your efforts to create this detailed guide.
LVL 46

Author Comment

Thanks for appreciating my efforts.

Featured Post

OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Join & Write a Comment

This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month