Hi Guys, adfs service comprises of certificates which serve different purpose for federation service. In this blog post I will share a brief description of these certificates, their purpose and will discuss renewal process of service communication certificate.
 
Type of ADFS Certificates and their purpose
 

Certificate Type Description Purpose
Service Communication certificate
 
Standard Secure Sockets Layer (SSL) certificate that is used for securing communications between federation servers, clients, Web Application Proxy, and federation server proxy computers. Ensures the identity of a remote computer
Proves your identity to a remote computer
 
Encryption Certificates
 
  Token decryption
Signing Certificates
 
Standard X.509 certificate that is used for securely signing all tokens Token signing

 
 
Renewal Steps
Service Communication certificate
In comparison this certificate is very similar to IIS certificate used to secure a website. It is generally issued by a trusted CA authority and can be either SAN or wild card certificate. This certificate is installed an all ADFS servers in the farm and update procedure should be done on primary ADFS server. Below is the list of steps involved in renewal.
 

  1. Generate CSR from primary ADFs server. This can be done via IIS.
  2. Once certificate is issued, add new certificate in Certificate store.
  3. Verify Private Key on the certificate. Make sure new certificate has the private key.
  4. Assign Permissions to the Private Key for ADFS service account. Right click on the certificate, click manage private keys, add adfs service account and assign permissions as shown in below screenshot.

 
 adfs

  1. From ADFS console select “Set Service Communication Certificate”
  2. Select new certificate from prompted list of certificates.
  3. Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
  4. If it’s unclear which certificate is new, open MMC snapin, locate the new certificate and scroll down in the list of properties to see the thumbprint.
  5. Run

 

  1. Restart the ADFS service
  2. Copy and import the new certificate to the Web Application Proxy/Proxies
  3. On each wap server run following cmdlet.

 

That’s it you are all done. You can verify that new certificate has been assigned to adfs service by executing Run Get-AdfsSslCertificate. Another verification step would be to open the browser and navigate to federation page. Here you should be able to see the new certificate in the browser. I will further discuss encryption and signing certificate renewal process in upcoming blogs.
 
 

Category:
ADFS, Office 365, Uncategorized
Tags:

Join the conversation! 3 Comments

  1. Can I replace the Server Communication certificate without having to do anything with the Token decryption and Token signing certificates? Do I need to do anything with relying parties if I’m only replacing the Server Communication certificate? Thank you.

  2. Did you ever get an answer to this? Do we need to rebuild RPTs if we replace the Server communication Cert?

    • Hi Shane,
      No reply unfortunately however I have now completed the change for my client. I did not need to rebuild or do anything with relying parties nor did I need to do anything with the token decryption or token signing certificates.
      The steps that worked for me were:
      1. Import your new SSL certificate onto the ADFS and WAP servers. Ensure the private key is present.
      2. Grant the local DRS and ADFSSRV service accounts on the ADFS servers read permissions to the certificate. Do this in the certificate management console.
      3. Make a note of the thumbprint of the new certificate.
      4. On the ADFS servers only, run Set-AdfsSslCertificate -Thumbprint
      5. On the Primary ADFS server only, run Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint
      6. Restart the ADFS service on the ADFS servers.
      7. On the WAP servers, run Set-WebApplicationProxySslCertificate -Thumbprint
      8. No service restarts required on the WAP servers.
      9. Test the sign-in url internally and externally to confirm the new SSL certificate is now used: https://sts./adfs/ls/idpinitiatedsignon.aspx
      Hope that helps?
      Thanks,
      Dale

Comments are closed.