Token signing certificates are standard X509 certificates that is used to securely sign all tokens that the federation server issues. Token decryption certificates are standard X509 certificates that is used to decrypt any incoming tokens. They are also published in federation metadata. Single Sign on breaks if it expires. In my case its used for several single sign on Apps like Zscaler / Cisco Jabber. Lets see how to Extend them to 1 year to 3 years and renew the same and update in zscaler.
ADFS Signing Certificate – Certificates
Lets Extend the duration from 365 to 1095 days which is 3 years
Get-AdfsProperties | fl *cer*
Set-AdfsProperties -CertificateDuration 1095
Update-AdfsCertificate -CertificateType Token-Decrypting -urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent
Certificates are renewed now.
- Token-Decrypting Certificate
- Token-Signing Certificate
If you wish to disable auto certificate roll over ( Lets not do it. Just FYI )
Set-ADFSProperties -AutoCertificateRollover $false
In my Case i need to use this in my Zscaler Forward proxy. Lets see how to convert to pem and use it.
Right Click on ADFS Signing Certificate
Copy to File
Choose Base-64 encoded X.509 (.CER)
Use a test linux server or any thing has open ssl.
Took the file out via WinSCP
Update on Authentication Settings – Administrator Management –
Administration – Authentication Settings.
i did not used the key “urgent”.
I used the command like “Update-ADFSCertificate -CertificateType token-signing” —-which results a secondary certificate has been created.
how to i make the secondary to primary?
You have turn of adfscertificaterollover
set-ADFSProperties -AutoCertificateRollover $true