Over the last week I had to change some certificates on a few ADFS solutions. They servers were all built with internal certificates for testing, but now need production 3rd party certificates.
The steps to change a certificate with IIS are simple, however the new ADFS no longer requires IIS.
The following process outlines the steps to change the SSL on ADFS without IIS.
First we need to have the correct SSL certificate. The SSL certificate must have the following;
Valid domain name:
The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.
The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.
Private Key:
ADFS need to have the private key to function correctly.
Once we have your certificate, the next step is to import it into the correct store on the machines hosting ADFS. Here I will only import the certificate into one server, this need to be done on all servers hosting ADFS.
Open a Powershell prompt with administrator rights on the ADFS server and type the following;
$mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force
Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd
Example:
PS C:\Windows\system32> $mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force
PS C:\Windows\system32> Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd
To view the certificates installed in your server’s local store, run the following commands in the Powershell prompt. Check that your certificate is there and it has the private key.
Get-ChildItem -Path cert:\LocalMachine\my | fl -Property FriendlyName, HasPrivateKey, GetCertHashString, subject, Thumbprint, Issuer, NotAfter, NotBefore
Example:
FriendlyName : Go Daddy Wild Card SSL
HasPrivateKey : True
Subject : CN=*.domain.test, OU=Domain Control Validated
Thumbprint : D3561AD0AD3831BE2231B97CB40AC5EF21F5C919
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=”GoDaddy.com, Inc.”,
L=Scottsdale, S=Arizona, C=US
NotAfter : 28/01/2015 5:11:40 PM
NotBefore : 23/01/2014 9:49:03 AM
Next, we need to add the certificate to ADFS. On the ADFS server open a PowerShell prompt and run the following;
$CertificateFriendlyName = “Go Daddy Wild Card SSL”
$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint
Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint
Example:
PS C:\Windows\system32> $CertificateFriendlyName = “Go Daddy Wild Card SSL”
$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server
in the farm.
PS C:\Windows\system32> Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint
PS C:\Windows\system32>
Finally, restart your ADFS service
In the PowerShell prompt type;
Restart-Service adfssrv
Get-Service adfssrv
Example:
PS C:\Windows\system32> Restart-Service adfssrv
Get-Service adfssrv
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…
Status Name DisplayName
—— —- ———–
Running adfssrv Active Directory Federation Services
Once all has been completed, open a browser and try with the following URL;
Craig Wilson 