Renew ADFS Token Signing Certificate

ADFS Token Signing Certificate

To renew the ADFS Token Signing Certificate is an every year come back task except if you have set the token not to expire after 365 days. The procedure we use and I describe in this post is based on this straight forward article posted by Andi Sichel on his Blog > adfs-exchange-wap-1-jahr-nach-der-installation

You can also find a detailed description on how to do it with PowerShell only

First, let’s get clear with the meaning of some relevant attributes and values appearing in the output of the following command :

Get-ADFSProperties | fl

CertficateGenerationThreshold :
Has by default a value of 20 ( days ) . This means that 20 days before the current primary ADFS Token Signing Certificate expires , a secondary certificate will be generated ( this will be the new cert after the current one expires ). This one will be visible as secondary ADFS Token Signing Certificate in the ADFS Management Console.

AutoCertificateRollover :
The default value of this attribute should be set to $True and should only be changed to $False for the time when the automatically created secondary certificate will be assigned as the primary ADFS certificate.

CertificatePromotionThreshold :
This attribute is important and should be monitored before the upcoming expiration of the current ADFS Token Signing Certificate. It defines after how many days ( counting from the creation date of the secondary ADFS certificate ) the new certificate will be defined automatically as primary.
If the value of this attribute is set to 15 it means that the secondary certificate will be assigned as primary automatically after 15 days.
Based on the example above the servers should be updated with the thumbprint of the new certificate maximum 15 days ( better earlier ) after the creation of the secondary ADFS Token Signing Certificate.


Here we go :

1Export secondary ADFS Token Signing Certificate:

Open ADFS console on your ADFS server:
Server Manager > Tools > AD FS Management > ADFS > Services > Certificates

You will see the newly generated certificate as secondary certificate :
Right-click on it > View Certificate > Details > Copy To File > Next > choose DER > choose File Location > Export

[ in this phase you will notice that the Set Primary option on the secondary certificate is grayed out ]

To export the certificate via PowerShell:

$certRefs=Get-AdfsCertificate -CertificateType Token-Signing
$certBytes=$certRefs[0].Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes(“C:\ADFS-Certs\adfs-token-signing.cer”, $certBytes)

Change the export location in red as you like.

2Copy the exported certificate to your Exchange servers.

3Import the certficate on your Exchange servers:

MMC > Add/Remove Snap-in > Certificates > Computer Account > Next > Finish > Ok

Expand Trusted Root Certificates :
Right-click on Certificates > All Tasks > Import > Local Machine > Choose the exported certificate > Next > Next > Finish

To import the certificate via PowerShell:

Import-Certificate -FilePath “PathToTheCertficate” -CertStoreLocation Cert:\LocalMachine\Root

4Open an elevated PowerShell on your ADFS Server and type:

Get-ADFSProperties | *cert* | fl

Set the value of the AutoCertificationRollover attribute to $False :

Set-ADFSProperties -AutoCertificationRollover $False

Open the AD FS Management Console and set the secondary ADFS Token Signing Certificate as primary.

Do the same with the ADFS Encryption Certificate ( under Token-decrypting ).

From this point on you will have an interruption in your ADFS services until the new primary ADFS certificate has been introduced on the Exchange Servers with CAS role. We do this in step 6 !

After the new certificates ( ADFS Token Signing and ADFS Encryption ) have been assigned as primary set the AutoCertificationRollover attribute to $True again :

Set-ADFSProperties -AutoCertificationRollover $True

5Copy the Thumprint of the new ADFS Token Signing Certificate:

In an elevated ADFS Powershell use the following command :

Get-ADFSCertificate -CertificateType “Token Signing” | Fl

In case of more certificates focus on the ‘not Before’ and ‘not After’ date to find the current primary certificate! Copy the thumbprint.

6Introduce the new ADFS Token Signing Certificate on your Exchange Servers:

Open an elevated Exchange Powershell and paste the thumbprint at the end of the following command :

Set-OrganizationConfig -ADFSSignCertificateThumbprint ThumbprintGoesHere

Make an iisreset /noforce on all Exchange Servers with CAS role installed.

Perform a login via OWA to verify that it works.
 
 
Would you like to disable IPv6 on a Server Core ?
Disable IPv6

2 thoughts on “Renew ADFS Token Signing Certificate”

  1. I take it that Exchange doesn’t support secondary ADFS certificates and the new token-signing certificate needs to be rolled over to primary before it can be assigned to Exchange?

    1. Yes, that is correct. The secondary needs to be set as primary before you can introduce the thumbprint of the new certificate on the Exchange servers.
      There will be a gap where OWA logins will not be possible starting with promoting the secondary cert as primary until the new AdfsSignCertificateThumbprint is set on the Exchange servers.

      Regards
      Sam

Leave a Reply

Your email address will not be published. Required fields are marked *