The release of Windows Server 2012 R2 brought with it a new version of AD FS (unofficially referred to as AD FS 3.0). This version of AD FS was a deviation from previous versions in that it no longer used IIS and the “AD FS Proxy” was replaced with the “Web Application Proxy” role. In addition to some small changes such as easier customization of login pages, AD FS 3.0 added support for new features such as “Workplace Join” of devices running iOS.
Windows Server 2012 R2 was released in October 2013 and some of the earlier adopters may soon start running into SSL certificate expirations. Additionally, organizations starting to look at “Workplace Join” will find that the Device Registration Service (DRS) requires an additional SAN on their certificate (“enterpriseregistration.company.com”) which may require replacement of their existing certificate.
The process to replace your SSL certificate in AD FS 3.0 did not seem to be well documented so I’ve provided the necessary PowerShell steps to do so.
The steps below assume you’ve already properly imported the SSL certificate into the local computer’s store along with it’s primary keys and the AD FS service account has read permissions on the private keys.
Internal AD FS Server
- Determine the new SSL certificate’s thumbprint:
- Run the following commands on the primary server to update the SSL certificate:
- Run the following commands on all servers to update:
Set-AdfsSslCertificate -Thumbprint thumbprint
- Restart the AD FS services on each internal server in the farm:
- Confirm AD FS recognizes the proper certificate:
Get-ChildItem -Path cert:\LocalMachine\my | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint
Restart-Service adfssrv
Get-AdfsCertificate
Get-AdfsSslCertificate
AD FS Proxy Server
- Run the following commands to update the SSL certificate:
- Restart the AD FS services on each proxy server:
Set-WebApplicationProxySslCertificate -Thumbprint thumbprint
Restart-Service adfssrv
What is an average time it takes from start to finish on confirming the ADFS certificate, to installing it, to exporting and installing on a proxy?
Darren-
It probably takes “minutes” but if you’re scheduling downtime for a change control, I would probably go with an hour. Keep in mind if you have a load balancer, you could theoretically do this with no downtime by failing over to one node.
Thanks
Joe
dir Cert:\LocalMachine\My is another way to list the certificates, and it’s shorter by far 🙂
that said, remember to check the signing and decrypting ones if you’re changing adfs’ url.
Emmanuel-
I’m not sure that “dir Cert:\LocalMachine\My” shows the thumbprint but yes, you should also check the Token-Decrypting and Token-Signing certificates if you are not using the self-signed ones.
Thanks for the feedback!
Joe
Thanks for this post..Worked like a charm!