Hi Guys, ADFS service comprises of certificates which serve different purposes for federation service. In this blog post, I will share a brief description of these certificates, their purpose and will discuss renewal process of service communication certificate.
Type of ADFS Certificates and their purpose
Service Communication certificate
By comparison, this certificate is very similar to IIS certificate used to secure a website. It is generally issued by a trusted CA authority and can be either SAN or wild card certificate. This certificate is installed an all ADFS servers in the farm and update procedure should be done on primary ADFS server. Below is the list of steps involved in renewal.
- Generate CSR from primary ADFs server. This can be done via IIS.
- Once the certificate is issued, add new certificate in Certificate store.
- Verify Private Key on the certificate. Make sure the new certificate has the private key.
- Assign Permissions to the Private Key for ADFS service account. Right click on the certificate, click manage private keys, add ADFS service account and assign permissions as shown in below screenshot
- From ADFS console select “Set Service Communication Certificate”
- Select new certificate from prompted list of certificates.
- Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
- If it’s unclear which certificate is new, open MMC snapin, locate the new certificate and scroll down in the list of properties to see the thumbprint.
- Restart the ADFS service
- Copy and import the new certificate to the Web Application Proxy/Proxies
- On each wap server run following cmdlet.
That’s it you are all done. You can verify that a new certificate has been assigned to ADFS service by executing Run Get-AdfsSslCertificate. Another verification step would be to open the browser and navigate to the federation page. Here you should be able to see the new certificate in the browser. I will further discuss encryption and signing the certificate renewal process in upcoming blogs.