ADFS: Changing the Certificate

KB ID 0001634

Problem

I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one.

I found a number of ways of doing this INCORRECTLY, so hopefully I will save you making the same mistakes!

Solution

Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import by double clicking the certificate, then export the certificate, include the private key, and set a password on it). I’ve done this in lots of different articles just use the search bar above it you get stuck.

To import the certificate, open an administrative command window and execute the following command;

certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE
{supply the pfx password}

Open an administrative PowerShell Window and execute the following command;

Set-ADFSProperties -AutoCertificateRollover $false

ADFS Disable Certificate Rollover

Make sure your certificate has a small key over the icon, or says ‘you have a private key that corresponds to this certificate‘. If yours does not, then import it on the server/PC you created the CSR (Certificate Signing Request) on, then export it to PFX, them import it using the command above on your ADFS server.

Certificate With Private Key

On your certificate > All Tasks > Manage Private Keys.

Certificates Manage Private Keys

Add > Object Types > Select Service Accounts > Locate and select your ADFS service account. Grant full control.

Allow ADFS GSMA Account Access to Certificate Keys

Launch the AD FS management console > Service > Certificates > Set Service Communication Certificate.

ADFS Change certificate

Select the correct (new) certificate > OK.

ADFS Renew Certificate

On the properties of your new certificate locate the thumbprint (not the serial number!) Copy it to the clipboard, then execute the following command;

Set-AdfsSslCertificate -Thumbprint {Paste in the thumbprint - minus the spaces!}

Note: BEWARE: If you press tab to complete the above command make sure you DON’T use Set-AdfsCertificate it’s Set-AdfsSslCertificate (it will accept the wrong command, without error, and then wont work at the end).

ADFS Replace Certificate PowerShell

Then to finish off;

Set-ADFSProperties -AutoCertificateRollover $true
Restart-Service ADFSSRV

ADFS - Restart

Changing ADFS Certificates: Things That Might Go Wrong

Error;

AT_KEYEXCHANGE Error

The ServiceCommunications primary certificate cannot be used because the KeySpec must have a value of AT_KEYEXCHANGE (1).
This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command “certutil -importpfx filename.pfx AT_KEYEXCHANGE”. For more information, see http://go.microsoft.com/fwlink/?LinkId=798501

You will also see an Event ID 550

Event ID 550 ADFS

Solution: Import the certificate using the ‘certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE‘ syntax.

Error

ADFS - Rollover enabled

Solution: Disable certificate rollover with ‘Set-ADFSProperties -AutoCertificateRollover $false‘ syntax. (Note: Dont forget to enable it again afterwards!)

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

8 Comments

  1. Thank you !

    Very good article.

    Post a Reply
  2. I was changing the certificate because at the time i di not include “certauth.” as an alternate subject name. So after changing the certificate you need to run ina dmin powershell:
    Set-AdfsAlternateTlsClientBinding -Member ADFS1.contoso.com -Thumbprint ”

    Post a Reply
  3. Thanks a lot. Really appreciated your work here. Saved me many hours of troubleshooting.

    Post a Reply
  4. “if you want a PFX file import by double clicking the certificate, then export the certificate”
    It is not possible to export a cert that does not already have the private key … 🙁

    Post a Reply
    • Hi Jack that’s correct, that’s pretty much how certs work, you need to repair the cert with certutil (search above for ‘key missing’), or make sure you seed the CSR with the key from the server thats going to be using it. (Or use Open SSL.)

      Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *