ADFS: Changing the Certificate

KB ID 0001634

Problem

I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one.

I found a number of ways of doing this INCORRECTLY, so hopefully I will save you making the same mistakes!

Solution

Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import by double clicking the certificate, then export the certificate, include the private key, and set a password on it). I’ve done this in lots of different articles just use the search bar above it you get stuck.

To import the certificate, open an administrative command window and execute the following command;

certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE
{supply the pfx password}

Open an administrative PowerShell Window and execute the following command;

Set-ADFSProperties -AutoCertificateRollover $false

ADFS Disable Certificate Rollover

Make sure your certificate has a small key over the icon, or says ‘you have a private key that corresponds to this certificate‘. If yours does not, then import it on the server/PC you created the CSR (Certificate Signing Request) on, then export it to PFX, them import it using the command above on your ADFS server.

Certificate With Private Key

On your certificate > All Tasks > Manage Private Keys.

Certificates Manage Private Keys

Add > Object Types > Select Service Accounts > Locate and select your ADFS service account. Grant full control.

Allow ADFS GSMA Account Access to Certificate Keys

Launch the AD FS management console > Service > Certificates > Set Service Communication Certificate.

ADFS Change certificate

Select the correct (new) certificate > OK.

ADFS Renew Certificate

On the properties of your new certificate locate the thumbprint (not the serial number!) Copy it to the clipboard, then execute the following command;

Set-AdfsSslCertificate -Thumbprint {Paste in the thumbprint - minus the spaces!}

ADFS Replace Certificate PowerShell

Then to finish off;

Set-ADFSProperties -AutoCertificateRollover $true
Restart-Service ADFSSRV

ADFS - Restart

Changing ADFS Certificates: Things That Might Go Wrong

Error;

AT_KEYEXCHANGE Error

The ServiceCommunications primary certificate cannot be used because the KeySpec must have a value of AT_KEYEXCHANGE (1).
This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command “certutil -importpfx filename.pfx AT_KEYEXCHANGE”. For more information, see http://go.microsoft.com/fwlink/?LinkId=798501

You will also see an Event ID 550

Event ID 550 ADFS

Solution: Import the certificate using the ‘certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE‘ syntax.

Error

ADFS - Rollover enabled

Solution: Disable certificate rollover with ‘Set-ADFSProperties -AutoCertificateRollover $false‘ syntax. (Note: Dont forget to enable it again afterwards!)

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

1 Comment

Leave a Reply to Herland Menacho Cancel reply

Your email address will not be published. Required fields are marked *