The release of Windows Server 2012 R2 brought with it a new version of AD FS (unofficially referred to as AD FS 3.0). This version of AD FS was a deviation from previous versions in that it no longer used IIS and the “AD FS Proxy” was replaced with the “Web Application Proxy” role. In addition to some small changes such as easier customization of login pages, AD FS 3.0 added support for new features such as “Workplace Join” of devices running iOS.
Windows Server 2012 R2 was released in October 2013 and some of the earlier adopters may soon start running into SSL certificate expirations. Additionally, organizations starting to look at “Workplace Join” will find that the Device Registration Service (DRS) requires an additional SAN on their certificate (“enterpriseregistration.company.com”) which may require replacement of their existing certificate.
The process to replace your SSL certificate in AD FS 3.0 did not seem to be well documented so I’ve provided the necessary PowerShell steps to do so.
The steps below assume you’ve already properly imported the SSL certificate into the local computer’s store along with it’s primary keys and the AD FS service account has read permissions on the private keys.
Internal AD FS Server
- Determine the new SSL certificate’s thumbprint:
- Run the following commands on the primary server to update the SSL certificate:
- Run the following commands on all servers to update:
Set-AdfsSslCertificate -Thumbprint thumbprint
- Restart the AD FS services on each internal server in the farm:
- Confirm AD FS recognizes the proper certificate:
Get-ChildItem -Path cert:\LocalMachine\my | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint
AD FS Proxy Server
- Run the following commands to update the SSL certificate:
- Restart the AD FS services on each proxy server:
Set-WebApplicationProxySslCertificate -Thumbprint thumbprint