Hi there, we have upgraded our servers. ADFS servers are running on Windows Server 2019 Core now. Therewith the method of the yearly renewal of the Token Signing Certificate has changed to PowerShell only.
I have just finished the renewal of the Token Signing Certificate via Powershell in our test environment. In this post, I will sum up the steps.
In case you want to renew the Token Signing certificate via GUI on an appropriate server see this post: Renew ADFS Token Signing Certificate
Let’s start with a short description of relevant ADFS properties: [Get-ADFSProperties | fl *cert*]
CertficateGenerationThreshold :
Has by default a value of 20 ( days ). That means that 20 days before the current primary ADFS Token Signing Certificate expires, a secondary certificate will be generated ( this will be the new cert after the current one expires ). You can check if the secondary certificate has already been created withe the following commands:
Get-AdfsCertificate -CertificateType Token-Decrypting
When the secondary certificate exists the ouput should list minimum two certificates. Focus on the certificate which has the attribute IsPrimary set to False. Verify that the Not Before: date is correct.
AutoCertificateRollover :
The default value of this attribute should be set to $True and should only be changed to $False for the time when the automatically created secondary certificate will be assigned as the primary ADFS certificate. When you manually renew the Token Signing Certificate this should always be set to $False. Otherwise, the secondary certificate will be promoted as the primary certificate automatically. Web logins to application servers will not be possible until the new certificate has not been introduced on the affected application servers.
CertificatePromotionThreshold :
This attribute is important and should be monitored before the upcoming expiration of the current ADFS Token Signing Certificate. It defines after how many days ( counting from the creation date of the secondary ADFS certificate ) the new certificate will be defined automatically as primary.
If the value of this attribute is set to 15 it means that the secondary certificate will be assigned as primary automatically after 15 days.
Based on the example above the servers should be updated with the thumbprint of the new certificate maximum of 15 days ( better earlier ) after the creation of the secondary ADFS Token Signing Certificate.
CertificateRolloverInterval :
Defines the interval in minutes at which ADFS checks if a new certificate needs to be generated. The default value is 720. If you change the values above accordingly to their meaning and your needs you can lower this value to 5 minutes for instance to generate the secondary certificate if it has not been generated yet. Set it back to default afterward.
Microsoft describes these properties here.
With that being said we are good to go. Log on to your ADFS Server Core.
Query the secondary Token Signing and Decrypting certificates
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}
Note the thumbprints. You will need them later.
Export the secondary Token Signing Certificate
Export the certificate to a location you can reach from the application servers. I usually export the cert to a local folder on the ADFS server.
$certBytes=$certRefs[0].Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes(“C:\PathToExportFolder\CertName.cer”, $certBytes)
Import the certificate from your ADFS Server Core to all Exchange servers
The certificate will be imported to the Trusted Root Certification Authority of LocalMachine:
You can check that the certificate has been imported successfully via remote MMC from a GUI server:
Navigate to ServerName\Trusted Root Certification Authorities > Certificates and verify that the imported ADFS Signing certificate is there.
Of course you can check it with PowerShell as well:
Get-ChildItem | where {$_.subject -like “*ADFS*”} | fl
Promote the new secondary certificate to primary on ADFS Server Core
Set AutoCertificationRollover to False to be able to promote your secondary certificate to primary:
Query the thumbprint of the new Token Signing and Decrypting certificates:
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}
Note the thumbprint of both certificates.
Promote both secondary certificates ( Token Signing and Decrypting ) to primary:
Set-AdfsCertificate -IsPrimary -CertificateType “Token-Decrypting” -Thumbprint ThumbprintGoesHere
The output was a message stating the certificate is already added.
I think you need to wait a little bit after you set AutoCertificateRollover to True. Several tries later it succeeded. To be honest I could not identify the cause – I just assume it could have been the elapsed time after I set AutoCertificateRollover to True.
Verify that the new certificates have the primary status:
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $True}
Switch AutoCertificateRollover back to True:
Check it:
AutoCertificateRollover should be True!
Introduce the new Token Signing Certificate to the Exchange organization
It is enough to fire the following command once from an Exchange Server within your organization:
Verify the AdfsSignCertificateThumbprint:
Restart IIS:
Or Restart IIS remotely:
Now try to login via web frontend to your application servers. ( try an Outlook on the Web login )
That’s it 
Stay healthy!
