Wednesday , September 2 2020

Renewing ADFS Token Signing Certificate

Token signing certificates are standard X509 certificates that is used to securely sign all tokens that the federation server issues. Token decryption certificates are standard X509 certificates that is used to decrypt any incoming tokens. They are also published in federation metadata. Single Sign on breaks if it expires. In my case its used for several single sign on Apps like Zscaler / Cisco Jabber. Lets see how to Extend them to 1 year to 3 years and renew the same and update in zscaler.

ADFS Signing Certificate – Certificates

image

Lets Extend the duration from 365 to 1095 days which is 3 years

Get-AdfsProperties | fl *cer*

image

Set-AdfsProperties -CertificateDuration 1095

image

Update-AdfsCertificate -CertificateType Token-Decrypting -urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent

image

Certificates are renewed now.

  • Token-Decrypting Certificate
  • Token-Signing Certificate

image

If you wish to disable auto certificate roll over  ( Lets not do it. Just FYI )

Set-ADFSProperties -AutoCertificateRollover $false

In my Case i need to use this in my Zscaler Forward proxy. Lets see how to convert to pem and use it.

Right Click on ADFS Signing Certificate

Copy to File

Choose Base-64 encoded X.509 (.CER)

image

Use a test linux server or any thing has open ssl.

image

Took the file out via WinSCP

image

Update on Authentication Settings – Administrator Management –

image

Administration – Authentication Settings.

image

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

OAuth and Microsoft Graph on Exchange on-premises with Hybrid Modern Authentication

Hybrid Modern Authentication (HMA) for Exchange On-Premises is being there for while which has a …

One comment

  1. i did not used the key “urgent”.
    I used the command like “Update-ADFSCertificate -CertificateType token-signing” —-which results a secondary certificate has been created.

    how to i make the secondary to primary?

Leave a Reply

Your email address will not be published.