locked
Token Certificates Expiring RRS feed

  • Question

  • Hello everyone, question. Both of our token certificates are expiring and auto cert rollover is false.

    The update-adfscertificate PS command will update both and change the ThumbPrint correct ?

    If so, the relying party trust needs to update xml if I am not mistaken ?

    Is there a way to generate another token certs instead of updating the current one ? Then switch to that before the expiry date ? Both certs are self signed.

    Our service comm cert is 3rd party

    Thank you in advance!


    AJ MCTS: SP 2010 Configuration MCSA: Windows 7 If you find this post useful kindly please mark it as an answer :) TY

    Wednesday, January 16, 2019 7:33 PM

Answers

  • Hello

    Because you don't have auto rollover to true, you will need to manually create the certs before the current expires. Yes, the new certs will have new thumbprint and you will need to send this certificates to all the Relying Parties to update on their end as well.

    Please look at the response here to a similar question and hope this answers your questions.

    https://social.technet.microsoft.com/Forums/en-US/6aaf663a-f87f-437f-b476-b526f2423549/adfs-30-token-singing-certificate-renewal?forum=ADFS


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    • Marked as answer by itsAboutSp Tuesday, January 22, 2019 2:24 PM
    Thursday, January 17, 2019 5:25 AM
  • The "Update-ADFSCertificate" will only generate a new certificate and NOT switch. If you specify the URGENT parameter it will also execute the switch!

    If you want/need self-signed certs, you could also generate your own certs through the script available through:
    https://jorgequestforknowledge.wordpress.com/2015/05/23/generating-self-signed-certificates-for-testing-purposes/



    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility And Security | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by itsAboutSp Tuesday, January 22, 2019 2:24 PM
    Thursday, January 17, 2019 10:40 PM

All replies

  • Please, check it:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs

    https://blogs.technet.microsoft.com/askpfeplat/2015/01/26/adfs-deep-dive-certificate-planning/


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    Wednesday, January 16, 2019 8:25 PM
  • Hello

    Because you don't have auto rollover to true, you will need to manually create the certs before the current expires. Yes, the new certs will have new thumbprint and you will need to send this certificates to all the Relying Parties to update on their end as well.

    Please look at the response here to a similar question and hope this answers your questions.

    https://social.technet.microsoft.com/Forums/en-US/6aaf663a-f87f-437f-b476-b526f2423549/adfs-30-token-singing-certificate-renewal?forum=ADFS


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    • Marked as answer by itsAboutSp Tuesday, January 22, 2019 2:24 PM
    Thursday, January 17, 2019 5:25 AM
  • The "Update-ADFSCertificate" will only generate a new certificate and NOT switch. If you specify the URGENT parameter it will also execute the switch!

    If you want/need self-signed certs, you could also generate your own certs through the script available through:
    https://jorgequestforknowledge.wordpress.com/2015/05/23/generating-self-signed-certificates-for-testing-purposes/



    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility And Security | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by itsAboutSp Tuesday, January 22, 2019 2:24 PM
    Thursday, January 17, 2019 10:40 PM