Deploy or update SSL certificate on ADFS servers and ADFS proxy servers

Article describes how to deploy or update a SSL certificate (aka Service communication certificate) on Active Directory Federation Services servers (AD FS servers and AD FS proxy servers). AD FS is widely in use to provide users with Single-Sing On (SSO) access to various supported systems and applications.

Prerequisite:

  • Access to AD FS server(s)
  • Access to AD FS proxy server(s)
  • Domain admin account
  • New SSL certificate and related intermediary certificate(s)

 

Import new SSL certificate

At first, we need to import new SSL certificate and, if applicable, all related intermediary certificate(s). It needs to be done on all servers in AD FS farm including AD FS proxy servers.

Import Wizard

The easiest way to import a new SSL certificate is to perform double click on it. Import Wizard window will be opened. Here is the procedure

mmc-certificate-import-wizard


Here I’m using PKCS #12 file format (.pfx file extension). It contains certificate and key and it might be protected by password

mmc-certificates-import-wizard-file-to-import

Specify password for the .pfx file if applicable

mmc-certificates-import-wizard-private-key-protection

Select certificate store. Choose Personal store for the main certificate. Trusted Root Certification Authorities and Intermediate Certification Authorities stores are intended to be used for root and intermediary certificates respectively.

mmc-certificates-import-wizard-certificate-store

mmc-certificates-import-wizard-completing-the-import

Microsoft Management Console

Here is the procedure how to import a SSL certificate using Microsoft Management Console. Skip that step if you already successfully imported new certificate(s).

mmc-windows-search

mmc-add-remove-snap-in

mmc-add-remove-snap-in-certificates

mmc-add-remove-snap-in-certificates-computer-account

mmc-add-remove-snap-in-certificates-local-computer

mmc-add-remove-snap-in-certificates-confirmation

mmc-certificates-import.png

mmc-certificates-import-wizard

Proceed with the import Wizard as described in the previous section

 

AD FS servers

Launch AD FS Management console

adfs-management-windows-search

Navigate to AD FS -> Service -> Certificates to check which certificate needs to be changed. Here is an example where certificate was about to expire

adfs-management-console

Start PowerShell console as administrator

Optionally, you might need to check thumbprint of the existing certificate (assuming, same certificate is in use as SSL as well as Communication certificate) before the change using one of the following two commands. Otherwise, skip this step.

Get-AdfsSslCertificate
Get-AdfsCertificate -CertificateType Service-Communications

Find thumbprint of new certificate. Pay attention, there might be different certificates with the same Subject. Use SubjectNotBefore and NotAfter data to find out which certificate is new. Note Thumbprint.

Get-ChildItem -Path Cert:\LocalMachine\My | Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

get-childitem-powershell.png

Replace existing certificate

Set-AdfsSslCertificate -Thumbprint 4D309F2BDE5D6DEA44D000099993E690CE69CDFDF
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint 4D309F2BDE5D6DEA44D000099993E690CE69CDFDF

Restart ADFS service

services-windows-search

services-adfs-restart

 

AD FS Proxy

Start PowerShell console as administrator

Optionally, you might need to check thumbprint of SSL and communication certificates before the change using the following command. Otherwise, skip it.

Get-WebApplicationProxySslCertificate

Replace existing certificate

Set-WebApplicationProxySslCertificate -Thumbprint "4D309F2BDE5D6DEA44D000099993E690CE69CDFDF"