How to change new AD FS certificate (Service Communications Certificate)

Just noticed that our test environment AD FS certificate will expire soon so I needed to change it. This blog post will show you needed steps to change certificate  to AD FS and also WAP.

First you need to order new certificate. As we were using GOGETSSL.COM certificates I first created request via IIS and then continue process at GOGETSSL.COM.
Remember that you need private key too.

Login to your AD FS server and import earlier requested certificate to \LocalMachine\My. Assign the read rights to the Private Key for the ADFS Managed Service Account:



Next we need to check current certificate thumbprint:

Then start AD FS Console and change certificate:
Change certificate AD FS -> Service -> Certificates -> Set Service Communications Certificate…
ADFSCert005Choose New certificate:

Next start powershell and check thumbprint of new AD FS sertificate:

ADFSCert007Set new thumbprint and ensure that it has been changed:


And then Restart AD FS service:


Okay, now we are done with the AD FS server. Next login to WAP server and import new certificate to same location than you used on AD FS server (\LocalMachine\My).
Check current certificate:

ADFSCert010Check new certificate thumbprint if you didn´t write it down earlier:



Set new thumbprint and ensure that it has been changed:


ADFSCert013And finally restart AD FS service:


That´s it, now test that AD FS working as expected.



Leave a Reply

Your email address will not be published. Required fields are marked *