KB ID 0001634
Problem
I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one.
I found a number of ways of doing this INCORRECTLY, so hopefully I will save you making the same mistakes!
Solution
Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import by double clicking the certificate, then export the certificate, include the private key, and set a password on it). I’ve done this in lots of different articles just use the search bar above it you get stuck.
To import the certificate, open an administrative command window and execute the following command;
certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE {supply the pfx password}
Open an administrative PowerShell Window and execute the following command;
Set-ADFSProperties -AutoCertificateRollover $false
Make sure your certificate has a small key over the icon, or says ‘you have a private key that corresponds to this certificate‘. If yours does not, then import it on the server/PC you created the CSR (Certificate Signing Request) on, then export it to PFX, them import it using the command above on your ADFS server.
On your certificate > All Tasks > Manage Private Keys.
Add > Object Types > Select Service Accounts > Locate and select your ADFS service account. Grant full control.
Launch the AD FS management console > Service > Certificates > Set Service Communication Certificate.
Select the correct (new) certificate > OK.
On the properties of your new certificate locate the thumbprint (not the serial number!) Copy it to the clipboard, then execute the following command;
Set-AdfsSslCertificate -Thumbprint {Paste in the thumbprint - minus the spaces!}Note: BEWARE: If you press tab to complete the above command make sure you DON’T use Set-AdfsCertificate it’s Set-AdfsSslCertificate (it will accept the wrong command, without error, and then wont work at the end).
Then to finish off;
Set-ADFSProperties -AutoCertificateRollover $true Restart-Service ADFSSRV
Changing ADFS Certificates: Things That Might Go Wrong
Error;
The ServiceCommunications primary certificate cannot be used because the KeySpec must have a value of AT_KEYEXCHANGE (1).
This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command “certutil -importpfx filename.pfx AT_KEYEXCHANGE”. For more information, see http://go.microsoft.com/fwlink/?LinkId=798501
You will also see an Event ID 550
Solution: Import the certificate using the ‘certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE‘ syntax.
Error
Solution: Disable certificate rollover with ‘Set-ADFSProperties -AutoCertificateRollover $false‘ syntax. (Note: Dont forget to enable it again afterwards!)
Related Articles, References, Credits, or External Links
NA
08/01/2020
grazie!!!!
23/11/2020
Thanks, very good article
25/11/2020
Thank you !
Very good article.
24/01/2021
I was changing the certificate because at the time i di not include “certauth.” as an alternate subject name. So after changing the certificate you need to run ina dmin powershell:
Set-AdfsAlternateTlsClientBinding -Member ADFS1.contoso.com -Thumbprint ”
25/04/2021
Thanks a lot. Really appreciated your work here. Saved me many hours of troubleshooting.
27/07/2021
“if you want a PFX file import by double clicking the certificate, then export the certificate”
It is not possible to export a cert that does not already have the private key … 🙁
27/07/2021
Hi Jack that’s correct, that’s pretty much how certs work, you need to repair the cert with certutil (search above for ‘key missing’), or make sure you seed the CSR with the key from the server thats going to be using it. (Or use Open SSL.)