How to update ADFS Certificate in Windows 2012 R2

Over the last week I had to change some certificates on a few ADFS solutions. They servers were all built with internal certificates for testing, but now need production 3rd party certificates.

The steps to change a certificate with IIS are simple, however the new ADFS no longer requires IIS.

The following process outlines the steps to change the SSL on ADFS without IIS.

First we need to have the correct SSL certificate. The SSL certificate must have the following;

Valid domain name:

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

Private Key:

ADFS need to have the private key to function correctly.

Once we have your certificate, the next step is to import it into the correct store on the machines hosting ADFS. Here I will only import the certificate into one server, this need to be done on all servers hosting ADFS.

Open a Powershell prompt with administrator rights on the ADFS server and type the following;

$mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force

 

Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd

 

Example:

PS C:\Windows\system32> $mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force

 

 

PS C:\Windows\system32> Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd 

 

To view the certificates installed in your server’s local store, run the following commands in the Powershell prompt. Check that your certificate is there and it has the private key.

Get-ChildItem -Path cert:\LocalMachine\my | fl -Property FriendlyName, HasPrivateKey, GetCertHashString, subject, Thumbprint, Issuer, NotAfter, NotBefore

Example:

 

FriendlyName  : Go Daddy Wild Card SSL

HasPrivateKey : True

Subject       : CN=*.domain.test, OU=Domain Control Validated

Thumbprint    : D3561AD0AD3831BE2231B97CB40AC5EF21F5C919

Issuer        : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=”GoDaddy.com, Inc.”,

                L=Scottsdale, S=Arizona, C=US

NotAfter      : 28/01/2015 5:11:40 PM

NotBefore     : 23/01/2014 9:49:03 AM

 

Next, we need to add the certificate to ADFS. On the ADFS server open a PowerShell prompt and run the following;

$CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

 Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint

Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint

Example:

PS C:\Windows\system32> $CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint

 

WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server

 in the farm.

 

PS C:\Windows\system32> Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint

 

 

PS C:\Windows\system32>

 

Finally, restart your ADFS service

In the PowerShell prompt type;

Restart-Service adfssrv

Get-Service adfssrv

Example:

PS C:\Windows\system32> Restart-Service adfssrv

Get-Service adfssrv

 

WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…

 

Status   Name               DisplayName                          

——   —-               ———–                          

Running  adfssrv            Active Directory Federation Services 

 

Once all has been completed, open a browser and try with the following URL;

https://<youradfssitefqdn>/adfs/ls/idpinitiatedsignon.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s