Managing AD FS Certificates
May 27, 2013 Leave a comment
When Certificates are issued they are generally issued for a specified period of time, for example a 1 year SSL.
The AD FS user interface allows you to view the details of the currently used certificate, remove exisiting ones, as well as add new ones.In the case of a self-signed, ADFS provides an automatic rollover feature to automate the process of generating new certificates when exisiting certs expire. This process is only designed for self-signed, any CA assigned certs will need to be installed and renewed manually.
Note: Automatic cert renewals for self signed certificates is enabled by default – in order to stop this default, and create your certificates manually use the following PowerShell command –
Set-AD FSProperties -AutoCertificateRollover $false
Previous versions of AD FS had the need to manually transmit token-signing certificates to federation partners whenever they expired. An the latest version of AD FS (2.0), metadata exchange allows federation partners to automatically retrieve new certificates when they are replaced by a renewed certificate because the public key of the new cert will be added to the associated federation server’s FederationMetadata.xml file. If you do not use metadata exchange, whenever you change the certificate, you will need to export it (minus the private key) to any partners that need it as a vertification certificate.