Microsoft Enterprise Mobility Suite Tips

Enterprise Mobility stuff worth sharing -- by Pieter Wigleven (Technical Solution Professional MSFT)

Replace certificates on ADFS 3.0

Replace certificates on ADFS 3.0

  • Comments 26
  • Likes

In my test environment I wanted to replace self-signed certificates with publicly trusted ones.

Follow these steps if you want to achieve the same:

  • RDP to your ADFS 3.0 server
  • Import the new certificate to the Machine’s Personal Store
  • Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key,


  • Assign the proper permissions to the Private Key for the ADFS Managed Service Account:


  • Make sure to select “Service Accounts” in when searching for the account.


  • Now switch to AD FS management, drill down to Certificates and select “Set Service Communication Certificate”


  • You will be prompted for the required certificate. If you don’t see the new certificate in the list of available certificates – it means you either don’t have the private key that corresponds to this certificate OR you didn’t import the cert correctly.

(next commands have to be done too - thanks Jaguar who mentioned this in a comment)

  • Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
    • If it's unclear which certificate is new, open MMC snappin, locate the new certificate and scroll down in the list of properties to see the thumbprint.

  • Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).
  • Restart the ADFS service

Optionally when using Web Application Proxy(s):

  • Copy and import the new certificate to the Web Application Proxy/Proxies which are not domain joined. Make sure the certificate is imported into the Machine Personal Store.
  • Switch the certificate on the Web Application Proxy, I personally did this by reinstalling the Web Application Proxy (requires a reboot) but it’s much easier to use the “Set-WebApplicationProxySslCertificate” cmdlet.

Consider leaving a reply in case this post helped you. Thanks!

  • As part of our deployment of ADFS 3.0 (to replace our ADFS 1.1), we had to replace the first SSL certificate that we cut. After doing the usual process (including replacing it in the ADFS console), our federation proxies could not talk to the internals. Neither could my workstation using a hosts file to communicate directly to one of the internal FS servers. Looking at the ADFS Admin log (or the Debug log), it showed a yellow on a thumbprint that it could not find. This is what we had to do:

    1. Get the thumbprint of the replacement SSL cert.

    2. Copy it to notepad and remove the spaces.

    3. Open powershell on one of the FS servers.

    4. Run Get-AdfsSslCertificate. This showed the thumbprint still "stuck" in ADFS, the old one.

    5. Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).

    6. Restart the ADFS service on both internal FS servers and all was well again.

    Sounds like a bug to me. Regards,

  • Not a bug. Since there is no IIS, that step has been replaced with Powershell, you have to do something similar on the Proxies as well. In addition, we ran into the following:

    1. We used our current code signing certificate from Digicert for the new system - and used it for the token decryption certificate.

    2. Our testing showed that WIA worked but FBA did not - the web form simply refreshed at login. A yellow warning appeared in the log about discarding corrupt cookie.

    3. After 3.5 days with our MCS engineer and PSS top level support, the issue was that the code signing cert did not have key usage/enhanced key usage terminology required for the token decryption cert.

    4. We generated a self signed cert with the proper terminology and the issue was resolved.

  • Jaguar, great stuff! Saved me a huge headache. Running your commands fixed my issue. Massive thanks!

  • Oh what a lovely post. Many thanks. I am still stuck.
    I had a publicly trusted wildcard cert for my domain (it worked for OWA, SharePoint, OA, and I could also use it for ADFS and WAP. Brilliant. BUT when I got to device registration I found I need a SAN on the certificate called
    Since my cert comes from Godaddy, I can't have SAN on a wildcard cert, so I will have to use a UCC SAN cert instead.
    Before I rekey a certificate, are there any other SANS I need (apart from SIP, OWA, EDGE, MAIL, AUTODISCOVER, ENTERPRISEREGISTRATION... ?

  • Thanks Jaguar, the blog post is incomplete indeed, I had to run your Set-AdfsSslCertificate command to complete the configuration.

  • Just had to do this and it's saved me so many problems - you sir are a star!

  • Thx a lot, worked!

  • Many thanks for this article, saved me a lot of headaches trying to figure out the cert updating process.

  • Understood that it isn't a bug but Microsoft has the ability to program that process into the GUI. One shouldn't require searching in a blog to resolve a problem that Microsoft pragmatically didn't or neglected to do. If the web service is built into ADFS then the ADFS console or PowerShell cmdlets should complete the configuration wholly not partially causing hours of support. (I guess one assumes that "SET" means set.)

  • Thanks so much for the rebinding commands. Why aren't those in the official docs?!

  • I just went through a ADFS Farm Name change and ran into a issue where the old SSL Certs were still showing in the command Get-AdfsSslCertificate

    This caused ADFS to return a Unauthorized Error if I tried to issue a token under the new farm name, but using the old farm name would still work (Invoke-WebRequest : The remote server returned an error: (401) Unauthorized.).

    I had to go into netsh http and delete the old SSL bindings from each ADFS Server using the following command:
    netsh http delete sslcert hostnameport={oldname}:49443
    netsh http delete sslcert hostnameport={oldname}:443

    Also shout out to ADFS Team for their ADFSDiagnostics module! ( The PowerShell Test-AdfsServerToken cmdlet is awesome.

  • Saved my day. Thank you

  • thanks to all who contributed to this and especially Scott R. the netsh commands did the trick to get the cert back in and functioning.

    One other thing to note in my cases when copying the SetAdfsSslCertificate command from Notepad into my PS window there was a little garbage character ahead of the thumbprint that was causing the command to fail....didn't see it the first 2 times I tried...darn surface 2 small screen and tired eyes!

  • Just used this article and it was helpful. Thank You.

  • Thank you so much!

    If the "Get-AdfsSslCertificate" shows only the old certificate, get the thumbprint of the new certificate using mmc's Certificates snap-in, and then use it with the "Set-AdfsSslCertificate -Thumbprint" command.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment