locked
ADFS Signing cert renewal Help RRS feed

  • Question

  • Can you please provide steps to replace new SSO cert with old certificate? Current ADFS SSO signing and decrypting certs are getting expire in next 30 days. I have new certs from Network solutions.

    We are sending new ADFS SSO certs to all external vendors. Do they need to install new cert on their end after i install new certs on ADFS servers? or Can they install new certs in advance without deleting old cert? Please help. Thanks for your time. 

    Friday, May 17, 2019 7:13 PM

All replies

  • What do you call SSO cert?

    If it is the TLS cert, there is nothing to do with the parties.

    If that's the token signing cert (I guess it is because you refer to it in the title) then yes, they will have to update it.

    By default, the renewal is automatic. Did you disable this?

    If it is still enable, you'll see that a second certificate will appear in the GUI. During that time, the new cert will be published in the FederationMetadata.xml but not used to sign token. This leave a bit of time for the relaying party trusts to update their configuration to accept both certificates. Shorty before the expiration of the current certificate, the new one will be "promoted" as the primary and ADFS will sign token with that new one. At this stage, if the relying parties have not updated their configuration, it will be broken. 
    Also, if an application does not support multiple certificates at one time, then you will have to sync with them to update their config when your new cert get promoted.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, May 19, 2019 12:34 AM
  • Thanks for your help.

    Its a Signing and decryption cert. We are not using automatic cert renewal method and its set to disable state. We have procured a wildcard cert from Network solutions and not using default internal server generated cert.

    Sunday, May 19, 2019 4:10 AM
  • Hello, 

    Go to this document and follow the steps to add the certificates

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs#if-youre-not-using-self-signed-certificates

    Hope this helps,

    Isaac


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Monday, May 20, 2019 5:45 AM
  • Thanks Issac. Can i install new certs in-advance and make it primary by prod cert cutover window? Can other vendors install certs in-advance or Do they need to install after i make new cert primary in ADFS side?

    Also can you please tell me the procedure to update new certs on Microsoft Office 365 Identity Platform?

    Thanks for your help. 

    Thursday, May 23, 2019 9:40 PM
  • Hi

    If you have created certificate for token singing and token decrpting certificate, you add/mark those certificate in ADFS as secondary.  if relying parties configured to monitor changes in ADFS it will they will update same certificate using metadata URL, as per my knowledge some replying party support multipal certificate some of not. So you need to send them clear intimation when you are going to switch over with new certificate as primary.

    DD


    Wednesday, June 5, 2019 5:38 PM
  • Thanks for your help. 

    kannan

    Wednesday, June 5, 2019 7:14 PM