ADFS 3.0 Remove expiring Token-Signing and Token-Decrypting Certificates

Tudor Coleman
Comments Off on ADFS 3.0 Remove expiring Token-Signing and Token-Decrypting Certificates
February 7, 2017

ADFS 3.0 Remove expiring Token-Signing and Token-Decrypting Certificates

Thank you to Martin Buist @ http://www.martinbuist.com/windows-server-2012r2/how-to-change-token-cer…

Once a year a new token certificate needs to be extended in ADFS. If you have autocertificate enrolment on then this wil happen automaticly. However you need to inform the Relying party trust of the new token certificate if they do not use you adfs xml. Most partys do not use this.

How does it work.

By default the adfs server creates a new certificate 20 days before the primary token certificate expires. 5 days before expiring date the new certificate will be made primary. In this time frame you need to inform your relying party trust and give them the new ADFS certificate.

Lets face it. This is not enough time for most partys in my experience. So we need to extend this. Most of us do not want to do this every year. So let’s make this certificate 10 years.

Log on to you ADFS server and open up a Admin powershell. Put in the following command:

Set-ADFSProperties -CertificateDuration 3650

This will set the new certificate on 10 years. Now here is the catch. Once the certificate has been made. You have 5 days left to inform your relying partys until the new certificate will be made primary. If it is not updated within this time frame that relying party will not work any more.

You can put this on more days but it must not exceed the primary certificate expiration date. For example if you want ADFS to create a new certificate 50 days before. Put in the command

Set-AdfsProperties -CertificateGenerationThreshold 50

If you want more then 5 days. Put in the command

Set-ADFSProperties -CertificatePromotionThreshold 10

You can also create a certificate manually. But keep in mind. Once you create a certificate manually. You have 5 days before your ADFS server makes it primary unless you change this value before you create the new certificate

The following command will create the certificates

Update-ADFSCertificate –CertificateType token-signing

Update-ADFSCertificate –CertificateType token-decrypting

If you create a certificate and want to remove it. You can use the following command
NOTE from Tudor – Turn off rollover first: Set-ADFSProperties -AutocertificateRollover $false

Remove-ADFSCertificate -CertificateType token-signing -Thumbprint

Remove-ADFSCertificate -CertificateType token-decrypting -Thumbprint

NOTE from Tudor – Turn on rollover: Set-ADFSProperties -AutocertificateRollover $True

You can find the has by insert this command

Get-AdfsCertificate –CertificateType token-signing

Get-AdfsCertificate –CertificateType token-decrypting

If you have office 365 it should automaticly pick up the certificates. If it does not you need to update this by using the following powershell commands

$cred = Get-Credential

Import-Module MSonline

Connect-MsolService -Credential $cred

Update-MsolFederatedDomain -DomainName domain.com -SupportMultipleDomain