How to change new AD FS certificate (Service Communications Certificate)

Just noticed that our test environment AD FS certificate will expire soon so I needed to change it. This blog post will show you needed steps to change certificate  to AD FS and also WAP.

First you need to order new certificate. As we were using GOGETSSL.COM certificates I first created request via IIS and then continue process at GOGETSSL.COM.
Remember that you need private key too.

Login to your AD FS server and import earlier requested certificate to \LocalMachine\My. Assign the read rights to the Private Key for the ADFS Managed Service Account:
ADFSCert001

ADFSCert002

ADFSCert003

Next we need to check current certificate thumbprint:

ADFSCert004
Then start AD FS Console and change certificate:
Change certificate AD FS -> Service -> Certificates -> Set Service Communications Certificate…
ADFSCert005Choose New certificate:
ADFSCert006

Next start powershell and check thumbprint of new AD FS sertificate:

ADFSCert007Set new thumbprint and ensure that it has been changed:

ADFSCert008

And then Restart AD FS service:

ADFSCert009

Okay, now we are done with the AD FS server. Next login to WAP server and import new certificate to same location than you used on AD FS server (\LocalMachine\My).
Check current certificate:

ADFSCert010Check new certificate thumbprint if you didn´t write it down earlier:

ADFSCert011

 

Set new thumbprint and ensure that it has been changed:

ADFSCert012


ADFSCert013And finally restart AD FS service:

ADFSCert014

That´s it, now test that AD FS working as expected.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *