Hi Guys, adfs service comprises of certificates which serve different purpose for federation service. In this blog post I will share a brief description of these certificates, their purpose and will discuss renewal process of service communication certificate.
Type of ADFS Certificates and their purpose
|Service Communication certificate ||Standard Secure Sockets Layer (SSL) certificate that is used for securing communications between federation servers, clients, Web Application Proxy, and federation server proxy computers.||Ensures the identity of a remote computer |
Proves your identity to a remote computer
|Encryption Certificates ||Token decryption|
|Signing Certificates ||Standard X.509 certificate that is used for securely signing all tokens||Token signing|
Service Communication certificate
In comparison this certificate is very similar to IIS certificate used to secure a website. It is generally issued by a trusted CA authority and can be either SAN or wild card certificate. This certificate is installed an all ADFS servers in the farm and update procedure should be done on primary ADFS server. Below is the list of steps involved in renewal.
- Generate CSR from primary ADFs server. This can be done via IIS.
- Once certificate is issued, add new certificate in Certificate store.
- Verify Private Key on the certificate. Make sure new certificate has the private key.
- Assign Permissions to the Private Key for ADFS service account. Right click on the certificate, click manage private keys, add adfs service account and assign permissions as shown in below screenshot.
- From ADFS console select “Set Service Communication Certificate”
- Select new certificate from prompted list of certificates.
- Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
- If it’s unclear which certificate is new, open MMC snapin, locate the new certificate and scroll down in the list of properties to see the thumbprint.
- Restart the ADFS service
- Copy and import the new certificate to the Web Application Proxy/Proxies
- On each wap server run following cmdlet.
That’s it you are all done. You can verify that new certificate has been assigned to adfs service by executing Run Get-AdfsSslCertificate. Another verification step would be to open the browser and navigate to federation page. Here you should be able to see the new certificate in the browser. I will further discuss encryption and signing certificate renewal process in upcoming blogs.