locked
In grace period for ADFS token signing cert renewal - still no cert RRS feed

  • Question

  • Hello,

    We are in day 1 of our grace period, for an ADFS server with autorollover set to TRUE.

    Running 'Get-AdfsCertificate -CertificateType Token-Signing' still shows only the primary/currently used certificate. Am I being impatient here? Getting a little anxious as there are only 5 days remaining on the ADFS Federation Services Cert alert in Office 365.

    Thanks.

    Thursday, April 7, 2016 1:35 PM

All replies

  • If you use the MMC ADFS wizard and click on the Certificates link, do you see primary and secondary?

    Thursday, April 7, 2016 6:25 PM
  • If you use the MMC ADFS wizard and click on the Certificates link, do you see primary and secondary?

    In the end I didn't need to check. An hour or so after posting this, I noticed that the secondary certs had been created.

    The thing that concerns me now, is the date for which the secondary cert will be promoted as the being the primary.

    The default value of CertficatePromotionThreshold=5 means that the promotion won't occur until 12/4/16 15:31:04

    Our 365 admin console alert has only 5 days remaining - do I trust that the auto-switchover of certificates will occur, or is there any way at all to manually promote the secondary certificate to primary, with PowerShell ahead of the 12/4/16?


    • Edited by MR JH Friday, April 8, 2016 7:28 AM edit
    Friday, April 8, 2016 7:27 AM