The KeySpec can be changed by re-importing the complete certificate and private key from a PFX file into the certificate store using the steps below: First, check and record the private key permissions on the existing certificate so that they can be re-configured if necessary after the re-import.
However, the SSL certificate (the certificate that is also used by default as the service communications certificate) must be trusted by the AD FS clients. We recommend that you not use self-signed certificates for these certificate types.
Double-click the CA-signed certificate that you imported into the Windows certificate store. In the Certificates dialog box, click the Details tab, scroll down, and select the Thumbprint icon. Copy the selected thumbprint to a text file. Note: When you copy the thumbprint, do not to include the leading space.
Open AD FS Management > AD FS > Service > Certificates, right-click the primary token signing certificate, and then choose View certificate.
Token decryption certificates are standard X509 certificates that are used to decrypt any incoming tokens. They are also published in federation metadata.
Open Services. msc, right-click AD FS 2.0 Service, and then click Properties. On the Log on tab, make sure that the new AD FS service account is listed in the This account box. Open IIS Manager, navigate to Application Pools, right-click ADFSAppPool, and then click Advanced Settings.
SSL CertificatesEach AD FS and Web Application Proxy server has an SSL certificate to service HTTPS requests to the federation service. The Web Application Proxy can have additional SSL certificates to service requests to published applications.
You can find your ADFS Federation Metadata file URL on the AD FS server through the AD FS Management in AD FS > Service > Endpoints and go to section Metadata. It should look like this
Step 2.Export the Certificate from AD FS
- Log in to the AD FS Management Console.
- Expand the. Service.
- Right-click the certificate under Token-signing in the Certificates pane, and then select. View Certificate.
- Click the. Details.
- Select. DER encoded binary X.509 (.CER)
- Click. .
- Enter the certificate file name and the location to export it to, and click. .
- Click. OK.
Click Start, type mmc, and press ENTER. On the File menu, click Add/Remove Snap-in. Click the Certificate Templates snap-in, click Add, verify that the domain controller hosting the certificate templates you want to manage is selected, and then click OK.
How to renew or replace SSL Certificate on ADFS 2.0 Servers.
- Request New Certificate. Generate a new certificate request with same primary key from Primary ADFS Server in your farm.
- Import New Certificate in Certificate Store.
- Apply new Certificate in ADFS snap-in.
- Change Certificate Binding in IIS.
- Send Certificate update to Relying Parties.
- Post implementation test.
Below is the list of steps involved in renewal.
- Generate CSR from primary ADFs server.
- Once the certificate is issued, add new certificate in Certificate store.
- Verify Private Key on the certificate.
- Assign Permissions to the Private Key for ADFS service account.
Opening a web browser and navigating to the following url ADFS FQDN>/adfs/ls/IdpInitiatedSignon. aspx (replace <ADFS FQDN>with the url of your ADFS server). If prompted enter your credentials, once you have supplied you credentials and successfully logged on you will see the successful login page.
A WAP server is just a standard web server that hosts a WAP site's contents like WML and XHTML MP documents. Some companies have a "WAP server" product that is actually a web server plus a WAP gateway. Tomcat is a Java Servlet / JSP container that can also be used as a standalone web server.
Check if the certificates need to be updated
- Step 1: Check the AutoCertificateRollover state. On your AD FS server, open PowerShell.
- Step 2: Confirm that AD FS and Azure AD are in sync. On your AD FS server, open the MSOnline PowerShell prompt, and connect to Azure AD.
- Step 3: Check if your certificate is about to expire.
Active Directory Federation Services