Office 365 – Replacing the SSL Certificate in AD FS 3.0 – Microsoft
Microsoft Blog

Office 365 – Replacing the SSL Certificate in AD FS 3.0

The release of Windows Server 2012 R2 brought with it a new version of AD FS (unofficially referred to as AD FS 3.0). This version of AD FS was a deviation from previous versions in that it no longer used IIS and the “AD FS Proxy” was replaced with the “Web Application Proxy” role. In addition to some small changes such as easier customization of login pages, AD FS 3.0 added support for new features such as “Workplace Join” of devices running iOS.

Windows Server 2012 R2 was released in October 2013 and some of the earlier adopters may soon start running into SSL certificate expirations. Additionally, organizations starting to look at “Workplace Join” will find that the Device Registration Service (DRS) requires an additional SAN on their certificate (“”) which may require replacement of their existing certificate.

The process to replace your SSL certificate in AD FS 3.0 did not seem to be well documented so I’ve provided the necessary PowerShell steps to do so.

The steps below assume you’ve already properly imported the SSL certificate into the local computer’s store along with it’s primary keys and the AD FS service account has read permissions on the private keys.

Internal AD FS Server

  1. Determine the new SSL certificate’s thumbprint:
  2. Get-ChildItem -Path cert:\LocalMachine\my | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

  3. Run the following commands on the primary server to update the SSL certificate:
  4. Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint

  5. Run the following commands on all servers to update:
    Set-AdfsSslCertificate -Thumbprint thumbprint

  6. Restart the AD FS services on each internal server in the farm:
  7. Restart-Service adfssrv

  8. Confirm AD FS recognizes the proper certificate:
  9. Get-AdfsCertificate

AD FS Proxy Server

  1. Run the following commands to update the SSL certificate:
  2. Set-WebApplicationProxySslCertificate -Thumbprint thumbprint

  3. Restart the AD FS services on each proxy server:
  4. Restart-Service adfssrv

Subscribe to the Microsoft Weekly Digest

* indicates required

5 thoughts on “Office 365 – Replacing the SSL Certificate in AD FS 3.0

  1. Joe Palarchio Post author


    I’m not sure that “dir Cert:\LocalMachine\My” shows the thumbprint but yes, you should also check the Token-Decrypting and Token-Signing certificates if you are not using the self-signed ones.

    Thanks for the feedback!


  2. dir Cert:\LocalMachine\My is another way to list the certificates, and it’s shorter by far 🙂
    that said, remember to check the signing and decrypting ones if you’re changing adfs’ url.

  3. Joe Palarchio Post author


    It probably takes “minutes” but if you’re scheduling downtime for a change control, I would probably go with an hour. Keep in mind if you have a load balancer, you could theoretically do this with no downtime by failing over to one node.



  4. What is an average time it takes from start to finish on confirming the ADFS certificate, to installing it, to exporting and installing on a proxy?

Leave a Reply

Perficient Microsoft Blog

Insights, best practices and technical perspectives to help you leverage your investment in Microsoft technology solutions to power your business growth