Not sure why, but I spend a large amount of time working on certificate problems, being asked questions about certificates, or fixing certificate problems. For certs that are web presented, back in the days of IE I could simply do this.
For those sniggering at my IE use – I typically work on client’s sites where I can’t go round installing browsers that are not terrible! Now that was all fine, now we (finally have got rid of IE (mostly)). How do I do the same with Edge?
I was losing my temper trying to fix my test Exchange server certificates today. Because I could not find the same information with Microsoft Edge. As it transpires the information is there, Microsoft have just done their best to hide it!
Edge View Certificate Information: Solution
You need to click the ‘padlock’ > Connection is Secure > Then click the small Icon at the top > the certificate details are then displayed on two tabs, the information is not as well formatted as it used to be, but it’s all there.
Related Articles, References, Credits, or External Links
I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one.
I found a number of ways of doing this INCORRECTLY, so hopefully I will save you making the same mistakes!
Solution
Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import by double clicking the certificate, then export the certificate, include the private key, and set a password on it). I’ve done this in lots of different articles just use the search bar above it you get stuck.
Make sure your certificate has a small key over the icon, or says ‘you have a private key that corresponds to this certificate‘. If yours does not, then import it on the server/PC you created the CSR (Certificate Signing Request) on, then export it to PFX, them import it using the command above on your ADFS server.
On your certificate > All Tasks > Manage Private Keys.
Add > Object Types > Select Service Accounts > Locate and select your ADFS service account. Grant full control.
Launch the AD FS management console > Service > Certificates > Set Service Communication Certificate.
Select the correct (new) certificate > OK.
On the properties of your new certificate locate the thumbprint (not the serial number!) Copy it to the clipboard, then execute the following command;
[box]
Set-AdfsSslCertificate -Thumbprint {Paste in the thumbprint - minus the spaces!}
[/box]
Note: BEWARE: If you press tab to complete the above command make sure you DON’T use Set-AdfsCertificate it’s Set-AdfsSslCertificate(it will accept the wrong command, without error, and then wont work at the end).
Changing ADFS Certificates: Things That Might Go Wrong
Error;
The ServiceCommunications primary certificate cannot be used because the KeySpec must have a value of AT_KEYEXCHANGE (1).
This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command “certutil -importpfx filename.pfx AT_KEYEXCHANGE”. For more information, see http://go.microsoft.com/fwlink/?LinkId=798501
You will also see an Event ID 550
Solution: Import the certificate using the ‘certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE‘ syntax.
Error
Solution: Disable certificate rollover with ‘Set-ADFSProperties -AutoCertificateRollover $false‘ syntax. (Note: Dont forget to enable it again afterwards!)
Related Articles, References, Credits, or External Links
When attempting to import a certificate into Exchange last week, this happened;
A special Rpc error occurs on the server {Server-Name}: Cannot import certificate. A certificate with the thumbprint {Thumbprint} already exists.
Solution
This is a symptom of another problem, the certificate WAS previously imported, but it can’t be seen in the Exchange Admin Console. (The reason in that case was the certificate was missing its private key). Or this problem can exist because the certificate was imported manually outside of Exchange.
Locate and delete the duplicate certificate (Note: Here you can see the cert is missing its private key, as its visibly missing from the certificates icon). That will need to be corrected before you attempt to re-import this certificate, or it won’t be visible in the Exchange Admin Console, or visible if you run Get-ExchangeCertificate in a PowerShell window.
Related Articles, References, Credits, or External Links
Exchange 2010 installs with it’s own (self signed) certificate. To stay free of security errors and warnings, the best bet is to purchase a “publicly signed” digital certificate and use that.
The following process uses the Exchange Management console to create a CSR (Certificate Signing Request). Then what to do with the certificate, when it has been sent back to you.