locked
ADFS 3.0 Token Singing Certificate Renewal RRS feed

  • Question

  • We have two ADFS 3.0 servers installed on Windows 2012 R2 servers and Auto Rollover of Token signing and decryption certificates  are enabled with Certificate duration is set to default 1 year validity and I could see the new certificates are generated last night and being marked as "secondary", so I have 5 more days left for new certificate to rollover as Primary. In this scenario, I would like to have my new certificate validity period from 1 year to 10 years. How should I change it?

    The high level plan I can think of:

    1. Remove the newly created certificate (secondary)

    2. Change the certificate duration from 365 days to 3650 days 

    Set-ADFSProperties -CertificateDuration 3650

    3. Create new certificate and make sure it has validity of 10 years

    Update-ADFSCertificate –CertificateType token-signing

    Update-ADFSCertificate –CertificateType token-decrypting

    4. The new certificate should be generated and marked as secondary

    5. On 5th day the new certificate will be promoted as Primary

    6. Share the new certificate to relevant relying parties

    Will this work as expected? or will there any issues/ challenges ?






    Wednesday, January 9, 2019 6:40 PM

Answers

  • Hello,

    I always advised clients to control when and how the token-signing and token-decryption certificate are updated/renewed. Because there is always going to be an outage and depending on the number of RP, you may want to control the process. Here are some suggested modification to your plan.

    1. Plan an outage/change window (before the current cert expires/rollover) and get your Relying Party vendors/app owners on stand by

    2. Change certificate duration from 1 to 10 years

    Set-ADFSProperties CertificateDuration 3650 -AutoCertificateRollover $true

    2. Generate/create a new token and encryption certificate with the urgent command. Note, this will REMOVE both the current primary and secondary and the new certificates will become effective immediately. So you will want to do this when you are ready.

    Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
    Update-AdfsCertificate -CertificateType Token-Signing -Urgent

    3- Export and share the new certificates the RP vendors/owners etc to update on their side.


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    • Marked as answer by Prakashkumaar Thursday, January 10, 2019 2:44 PM
    Thursday, January 10, 2019 6:07 AM

All replies

  • Hello,

    I always advised clients to control when and how the token-signing and token-decryption certificate are updated/renewed. Because there is always going to be an outage and depending on the number of RP, you may want to control the process. Here are some suggested modification to your plan.

    1. Plan an outage/change window (before the current cert expires/rollover) and get your Relying Party vendors/app owners on stand by

    2. Change certificate duration from 1 to 10 years

    Set-ADFSProperties CertificateDuration 3650 -AutoCertificateRollover $true

    2. Generate/create a new token and encryption certificate with the urgent command. Note, this will REMOVE both the current primary and secondary and the new certificates will become effective immediately. So you will want to do this when you are ready.

    Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
    Update-AdfsCertificate -CertificateType Token-Signing -Urgent

    3- Export and share the new certificates the RP vendors/owners etc to update on their side.


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    • Marked as answer by Prakashkumaar Thursday, January 10, 2019 2:44 PM
    Thursday, January 10, 2019 6:07 AM
  • Thank you for your quick response.


    Thursday, January 10, 2019 2:44 PM
  • Thanks again.

    Another quick question.

    According to auto rollover default parameters, the certificate generated on 1/8/2019 8:57 PM, so the roll over of secondary to primary would take place after 5 days ie. 1/13/2019 8:57 PM. I am very specific about time stamp. Please confirm.

    Additional info:

    current primary certificate is having time stamp of 1/28/2019 7:33 PM

    CertificateRolloverInteval - 720 minutes (12 Hours)

    Sunday, January 13, 2019 5:26 PM