Skip to main content


Office 365 – Replacing the SSL Certificate in AD FS 3.0

The release of Windows Server 2012 R2 brought with it a new version of AD FS (unofficially referred to as AD FS 3.0). This version of AD FS was a deviation from previous versions in that it no longer used IIS and the “AD FS Proxy” was replaced with the “Web Application Proxy” role. In addition to some small changes such as easier customization of login pages, AD FS 3.0 added support for new features such as “Workplace Join” of devices running iOS.
Windows Server 2012 R2 was released in October 2013 and some of the earlier adopters may soon start running into SSL certificate expirations. Additionally, organizations starting to look at “Workplace Join” will find that the Device Registration Service (DRS) requires an additional SAN on their certificate (“”) which may require replacement of their existing certificate.
The process to replace your SSL certificate in AD FS 3.0 did not seem to be well documented so I’ve provided the necessary PowerShell steps to do so.

The steps below assume you’ve already properly imported the SSL certificate into the local computer’s store along with it’s primary keys and the AD FS service account has read permissions on the private keys.

Internal AD FS Server

  1. Determine the new SSL certificate’s thumbprint:
  2. Get-ChildItem -Path cert:\LocalMachine\my | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

  3. Run the following commands on the primary server to update the SSL certificate:
  4. Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint

  5. Run the following commands on all servers to update:
    Set-AdfsSslCertificate -Thumbprint thumbprint

  6. Restart the AD FS services on each internal server in the farm:
  7. Restart-Service adfssrv

  8. Confirm AD FS recognizes the proper certificate:
  9. Get-AdfsCertificate

AD FS Proxy Server

  1. Run the following commands to update the SSL certificate:
  2. Set-WebApplicationProxySslCertificate -Thumbprint thumbprint

  3. Restart the AD FS services on each proxy server:
  4. Restart-Service adfssrv

Thoughts on “Office 365 – Replacing the SSL Certificate in AD FS 3.0”

  1. What is an average time it takes from start to finish on confirming the ADFS certificate, to installing it, to exporting and installing on a proxy?

  2. Darren-
    It probably takes “minutes” but if you’re scheduling downtime for a change control, I would probably go with an hour. Keep in mind if you have a load balancer, you could theoretically do this with no downtime by failing over to one node.

  3. dir Cert:\LocalMachine\My is another way to list the certificates, and it’s shorter by far 🙂
    that said, remember to check the signing and decrypting ones if you’re changing adfs’ url.

  4. Emmanuel-
    I’m not sure that “dir Cert:\LocalMachine\My” shows the thumbprint but yes, you should also check the Token-Decrypting and Token-Signing certificates if you are not using the self-signed ones.
    Thanks for the feedback!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Joe Palarchio

More from this Author

Follow Us