by lunarg on August 24th 2015, at 16:20

Occasionally (usually once a year), you may have to renew your SSL certificate of your Active Directory Federation Services server, used for your Office 365 Single Sign-On setup. In past versions, this was done quite easily through IIS. However, since 2012 R2 (a.k.a. ADFS 3.0), ADFS no longer uses IIS and it gets a little bit more complicated.

Outlined in this short article are the steps you need to do in order to renew or replace your SSL certificate on a Windows 2012 R2 server, running ADFS 3.0.

Certificate request

First, renew or request a new SSL certificate through your Certificate Authority (such as GoDaddy, Enom, etc.). How to do this depends greatly on the CA. As ADFS on 2012 R2 no longer uses IIS, you may have to obtain a certificate signing request through other means (i.e. another server running IIS, a computer with OpenSSL, etc.).

Renewal with same private key

If you are renewing with the same private key (e.g. GoDaddy allows to renew without a new certificate signing request), you may need to perform the steps outlined here:

Certificate renewal using the same private key (e.g. GoDaddy)

Certificate replacement

Once you have your certificate and private key (usually in PKCS#12 format, you can import it on your ADFS server. To do this, follow the steps below:

  1. On the server running ADFS, open the Windows Certificate Store for the computer account.
    1. Click Start, then Run, type in mmc.exe.
    2. Go to Add/remove span-in, select Certificates, select Computer account, then This computer.
  2. In the Personal container, import your certificate, including the private key in the Personal store.
  3. Next, you need to make the private key available for the service account running ADFS (if you used the wizard during installation of the ADFS role, this account will be called ADFSService): right-click the newly imported SSL certificate, and select Manage private keys (under All tasks). Give read permissions to the service account running ADFS.
  4. Look up the thumbprint of the certificate. We will need it to assign it to ADFS.
    1. Still from Windows Certificate Store, open (double-click) the imported certificate, then on the tab Details, scroll to the bottom.
    2. The field that says Thumbprint is the thumbprint you need. I recommend copy/pasting the thumbprint in Notepad, then removing all spaces (necessary for later on).
  5. Open an elevated Powershell on the server running ADFS, and set the certificate:
    Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint the-thumbprint
    Replace the-thumbprint with the thumbprint string you got earlier, without any spaces.
  6. Next, set the SSL certificate to the same one as well:
    Set-AdfsSslCertificate -Thumbprint the-same-thumbprint
  7. Finally, restart the Active Directory Federation services:
    Restart-Service adfssrv

To verify the used certificate, you can check this in Powershell with these cmdlets:

« June 2019»
« Have you tried turning it off and on again? »
The IT Crowd