34.2 C
Dubai
Sunday, June 26, 2022
spot_img
HomeAzure Active Directory
Azure Active Directoryx-All Posts-x

Renewing ADFS Token Signing Certificate

By Satheshwaran Manoharan
2
2683

Token signing certificates are standard X509 certificates that are used to securely sign all tokens that the federation server issues. Token decryption certificates are standard X509 certificates that are used to decrypt any incoming tokens. They are also published in federation metadata. Single Sign-on breaks if it expires. In my case, it’s used for several single sign-on Apps like Zscaler / Cisco Jabber. Let’s see how to Extend them to 1 year to 3 years and renew the same and update in zscaler.

ADFS Signing Certificate – Certificates

image

Let’s Extend the duration from 365 to 1095 days which is 3 years

Get-AdfsProperties | fl *cer*
image
Set-AdfsProperties -CertificateDuration 1095
image
Update-AdfsCertificate -CertificateType Token-Decrypting -urgent
Update-AdfsCertificate -CertificateType Token-Decrypting -urgent
image

Certificates are renewed now.

  • Token-Decrypting Certificate
  • Token-Signing Certificate
image

If you wish to disable auto certificate rollover  (let’s not do it. Just FYI )

Set-ADFSProperties -AutoCertificateRollover $false

Replacing SSL Certificate – Set Service Communication Certificate to new one.

Open MMC and Open Certificate Console of Local Machine and go to new certificate and managed private keys. Copy the same permission the old certificate had the service account in my case it was adfs admin and ran 

Set-AdfsSslCertificate -Thumbprint "xxxxx"

it added drs and adfssrv permission on private keys

Renewing ADFS Proxy Certificate – 

Get-WebApplicationProxyApplication | Fl *cer*,*id*
Get-Pfxcertificate c:\cert.pfx

Use above command to gain thumbprint value 

Set-WebApplicationProxyApplication -ExternalCertificateThumbprint "xxx" -ID "xxx"

In my case, I need to use this in my Zscaler Forward proxy. Let’s see how to convert to PEM and use it.

Right Click on ADFS Signing Certificate

Copy to File

Choose Base-64 encoded X.509 (.CER)

image

Use a test Linux server or anything that has open SSL.

image

Took the file out via WinSCP

image

Update on Authentication Settings – Administrator Management –

image

Administration – Authentication Settings.

image

Satheshwaran Manoharanhttps://www.azure365pro.com
Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Related Articles

2 COMMENTS

  1. i did not used the key “urgent”.
    I used the command like “Update-ADFSCertificate -CertificateType token-signing” —-which results a secondary certificate has been created.

    how to i make the secondary to primary?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT US

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Contact us: Support@Azure365Pro.com

FOLLOW US

© Azure365Pro.com