ADFSWindows Server

Renew ADFS Certificate

by antoniorennvick
Spread the love

Renewing an Active Directory Federation Services (ADFS) certificate involves multiple steps, depending on which certificate you are renewing. The impact on users depends on the type of certificate being updated.

Types of ADFS Certificates

  1. Service Communications Certificate – Used for encrypting SSL/TLS traffic (external users may be impacted if not updated properly).
  2. Token-Signing Certificate – Used to sign SAML tokens (users may face login issues if relying parties are not updated).
  3. Token-Decrypting Certificate – Used to decrypt incoming encrypted tokens.

Step-by-Step Guide to Renew ADFS Certificates

1. Renewing the Service Communications Certificate (SSL/TLS)

This is a standard SSL certificate renewal.

Steps:

  1. Obtain a new certificate from a trusted CA (internal or external).
  2. Import it into the Local Computer > Personal Certificates store on the ADFS server.
  3. In the ADFS Management Console, go to Certificates > Service Communications.
  4. Select Set Service Communications Certificate and choose the new certificate.
  5. Restart the ADFS service to apply the changes.

Minimal impact if updated correctly. However, ensure that:

  • The certificate is bound to the correct HTTPS endpoint in IIS (if applicable).
  • The Web Application Proxy (WAP) also gets the updated certificate.

2. Renewing Token-Signing and Token-Decrypting Certificates

ADFS can auto-rollover these certificates unless it’s disabled.

Check if Auto-Rollover is Enabled:

Run this command on the ADFS primary server:

powershell
Get-AdfsProperties | Select AutoCertificateRollover
  • If True → ADFS will automatically generate new certificates and update relying parties.
  • If False → You need to manually update them.

Manual Renewal Process (If Auto-Rollover is Disabled):

  1. Generate a new certificate: 
    powershell
    Update-AdfsCertificate -CertificateType Token-Signing
Update-AdfsCertificate -CertificateType Token-Decrypting
  2. Confirm new certificates are in place: 
    powershell
    Get-AdfsCertificate
  3. Update relying parties with the new certificates (if not using auto-update).
  4. Restart the ADFS service to apply the changes.

Potential Impact: If relying parties (applications like Office 365, custom apps) are not updated with the new certificates, authentication may fail.

3. Updating Relying Parties

If auto-update is disabled, manually update each relying party (RP) by:

  1. Exporting the new token-signing certificate: 
    powershell
    Export-Certificate -Cert (Get-AdfsCertificate -CertificateType Token-Signing).Certificate -FilePath C:\NewTokenSigningCert.cer
  2. Distributing the certificate to relying parties (e.g., Office 365, third-party apps).

For Office 365, run:

powershell
Update-MsolFederatedDomain -DomainName yourdomain.com

If relying parties update automatically, no disruption occurs.

Will There Be a Service Disruption?

  • Service Communications Certificate: Minimal disruption if updated properly.
  • Token-Signing Certificate: Possible authentication failures if relying parties aren’t updated.
  • Token-Decrypting Certificate: Only affects encrypted tokens; most environments won’t notice an issue.

Best Practices to Avoid Disruption

  • Schedule updates during off-peak hours.
  • Ensure auto-rollover is enabled (for token-signing and decrypting certificates).
  • Test in a staging environment before applying to production.
  • Notify relying party admins (especially for third-party applications).

Final Checklist

✅ New certificate installed on all ADFS servers
✅ ADFS service restarted if needed
✅ WAP servers updated (if applicable)
✅ Relying parties updated (if manual update is required)
✅ Federation trust with Office 365 updated (if applicable)

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *