How to replace a relying party trust signature certificate RRS feed

  • Question

  • Hello. I am fairly new to ADFS and we have a relying part trust who's signature certificate is about to expire. Is replacing this cert as simple as going to the Relying Party Trust properties, go to the signature tab and click Add and simply add the certificate here? Is there anything else that needs done? Anything in PowerShell to finish the task?

    Many thanks in advance.

    Wednesday, May 9, 2018 2:45 PM

All replies

  • Yes it is. This will allow your Relying Party Trust to accept RSTs (Request for Security Tokens) signed with either the currently used certificate (that's about to expire) or the new one.

    If your ADFS server doesn't trust the certificate and cannot validate it then you need to either import the intermediate certificate and root CA certificate on each of your ADFS servers... or turn off RST certificate validation:

    Set-ADFSRelyingPartyTrust -Targetname "RP Name" -SigningCertificateRevocationCheck None

    Monday, May 14, 2018 11:33 AM
  • Can it be done during work hours or would a user notice?
    Thursday, June 6, 2019 3:50 PM