How to update ADFS Certificate in Windows 2012 R2

Over the last week I had to change some certificates on a few ADFS solutions. They servers were all built with internal certificates for testing, but now need production 3rd party certificates.

The steps to change a certificate with IIS are simple, however the new ADFS no longer requires IIS.

The following process outlines the steps to change the SSL on ADFS without IIS.

First we need to have the correct SSL certificate. The SSL certificate must have the following;

Valid domain name:

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

Private Key:

ADFS need to have the private key to function correctly.

Once we have your certificate, the next step is to import it into the correct store on the machines hosting ADFS. Here I will only import the certificate into one server, this need to be done on all servers hosting ADFS.

Open a Powershell prompt with administrator rights on the ADFS server and type the following;

$mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force


Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd



PS C:\Windows\system32> $mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force



PS C:\Windows\system32> Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd 


To view the certificates installed in your server’s local store, run the following commands in the Powershell prompt. Check that your certificate is there and it has the private key.

Get-ChildItem -Path cert:\LocalMachine\my | fl -Property FriendlyName, HasPrivateKey, GetCertHashString, subject, Thumbprint, Issuer, NotAfter, NotBefore



FriendlyName  : Go Daddy Wild Card SSL

HasPrivateKey : True

Subject       : CN=*.domain.test, OU=Domain Control Validated

Thumbprint    : D3561AD0AD3831BE2231B97CB40AC5EF21F5C919

Issuer        : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=, O=”, Inc.”,

                L=Scottsdale, S=Arizona, C=US

NotAfter      : 28/01/2015 5:11:40 PM

NotBefore     : 23/01/2014 9:49:03 AM


Next, we need to add the certificate to ADFS. On the ADFS server open a PowerShell prompt and run the following;

$CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

 Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint

Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint


PS C:\Windows\system32> $CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint


WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server

 in the farm.


PS C:\Windows\system32> Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint



PS C:\Windows\system32>


Finally, restart your ADFS service

In the PowerShell prompt type;

Restart-Service adfssrv

Get-Service adfssrv


PS C:\Windows\system32> Restart-Service adfssrv

Get-Service adfssrv


WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…


Status   Name               DisplayName                          

——   —-               ———–                          

Running  adfssrv            Active Directory Federation Services 


Once all has been completed, open a browser and try with the following URL;



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s