In my test environment I wanted to replace self-signed certificates with publicly trusted ones.
Follow these steps if you want to achieve the same:
(next commands have to be done too - thanks Jaguar who mentioned this in a comment)
Optionally when using Web Application Proxy(s):
Consider leaving a reply in case this post helped you. Thanks!
As part of our deployment of ADFS 3.0 (to replace our ADFS 1.1), we had to replace the first SSL certificate that we cut. After doing the usual process (including replacing it in the ADFS console), our federation proxies could not talk to the internals. Neither could my workstation using a hosts file to communicate directly to one of the internal FS servers. Looking at the ADFS Admin log (or the Debug log), it showed a yellow on a thumbprint that it could not find. This is what we had to do:
1. Get the thumbprint of the replacement SSL cert.
2. Copy it to notepad and remove the spaces.
3. Open powershell on one of the FS servers.
4. Run Get-AdfsSslCertificate. This showed the thumbprint still "stuck" in ADFS, the old one.
5. Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx (without spaces).
6. Restart the ADFS service on both internal FS servers and all was well again.
Sounds like a bug to me. Regards,
Not a bug. Since there is no IIS, that step has been replaced with Powershell, you have to do something similar on the Proxies as well. In addition, we ran into the following:
1. We used our current code signing certificate from Digicert for the new system - and used it for the token decryption certificate.
2. Our testing showed that WIA worked but FBA did not - the web form simply refreshed at login. A yellow warning appeared in the log about discarding corrupt cookie.
3. After 3.5 days with our MCS engineer and PSS top level support, the issue was that the code signing cert did not have key usage/enhanced key usage terminology required for the token decryption cert.
4. We generated a self signed cert with the proper terminology and the issue was resolved.
Jaguar, great stuff! Saved me a huge headache. Running your commands fixed my issue. Massive thanks!
Oh what a lovely post. Many thanks. I am still stuck.
I had a publicly trusted wildcard cert for my domain (it worked for OWA, SharePoint, OA, and I could also use it for ADFS and WAP. Brilliant. BUT when I got to device registration I found I need a SAN on the certificate called entrepriseregistration.mydomain.com.
Since my cert comes from Godaddy, I can't have SAN on a wildcard cert, so I will have to use a UCC SAN cert instead.
Before I rekey a certificate, are there any other SANS I need (apart from SIP, OWA, EDGE, MAIL, AUTODISCOVER, ENTERPRISEREGISTRATION... ?
Thanks Jaguar, the blog post is incomplete indeed, I had to run your Set-AdfsSslCertificate command to complete the configuration.
Just had to do this and it's saved me so many problems - you sir are a star!
Thx a lot, worked!
Many thanks for this article, saved me a lot of headaches trying to figure out the cert updating process.