Occasionally (usually once a year), you may have to renew your SSL certificate of your Active Directory Federation Services server, used for your Office 365 Single Sign-On setup. In past versions, this was done quite easily through IIS. However, since 2012 R2 (a.k.a. ADFS 3.0), ADFS no longer uses IIS and it gets a little bit more complicated.
Outlined in this short article are the steps you need to do in order to renew or replace your SSL certificate on a Windows 2012 R2 server, running ADFS 3.0.
First, renew or request a new SSL certificate through your Certificate Authority (such as GoDaddy, Enom, etc.). How to do this depends greatly on the CA. As ADFS on 2012 R2 no longer uses IIS, you may have to obtain a certificate signing request through other means (i.e. another server running IIS, a computer with OpenSSL, etc.).
If you are renewing with the same private key (e.g. GoDaddy allows to renew without a new certificate signing request), you may need to perform the steps outlined here:
→ Certificate renewal using the same private key (e.g. GoDaddy)
Once you have your certificate and private key (usually in PKCS#12 format, you can import it on your ADFS server. To do this, follow the steps below:
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint the-thumbprint
Set-AdfsSslCertificate -Thumbprint the-same-thumbprint
Restart-Service adfssrv
To verify the used certificate, you can check this in Powershell with these cmdlets:
Get-AdfsCertificate Get-AdfsSslCertificate
« ‹ | December 2024 | › » | ||||
Sun | Mon | Tue | Wed | Thu | Fri | Sat |
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |