By default in AD FS 2.0, the self-signed certificates generated by AutoCertificateRollover are valid for 365 days. Although AD FS 2.0 will maintain these certificates for the service, it is the responsibility of the AD FS 2.0 administrator or the Claims Proivder/Relying Party partner administrator to ensure that these certificates remain trusted by all partners.
Contoso has a Federation Service running AD FS 2.0 with AutoCertificateRollover enabled. The Contoso administrator does not need to perform any manual tasks to ensure that the Contoso token-signing and token-decrypting certificates will be automatically renewed since AutoCertificateRollover will perform this function automatically. The Contoso AD FS 2.0 Federation Service will also automatically advertise the new certificates in its Federation Metadata document so that partners who can consume Federation Metadata can automatically know about and trust the new certificates.
However, Contoso has a Relying Party Trust with Fabrikam, and Fabrikam's Relying Party application is not designed to consume Federation Metadata. In order for Fabrikam's application to trust Contoso's new certificates, manual intervention by the Fabrikam administrator is required. The Fabrikam administrator must coordinate with the Contoso administrator for certificate replacement to ensure limited downtime of their application.
In this example scenario, Contoso and Fabrikam administrators will need to schedule maintenance for the trust relationship between the Contoso AD FS 2.0 service and the Fabrikam application, and they may wish to perform this maintenance less frequently than 365 days (the default certificate duration). The Contoso AD FS 2.0 administrator can modify the duration of the AutoCertificateRollover certificates to allow for less frequent maintenance with Contoso's partners.
1. Launch an administrative Powershell console window
2. Add the AD FS 2.0 Powershell snap-in:
3. Set the CertificateDuration property in the Federation Service Properties:
Set-AdfsProperties -CertificateDuration integer-number-in-days
Example for a 3-year certificate duration
Set-AdfsProperties -CertificateDuration 1095
The next time AutoCertificateRollover reaches its replacement threshold, new token-signing and token-decrypting certificates will be generated with the new duration.
Note: If you would like to immediately generate new self-signed certificates with the modified duration, execute the following command: