ADFS Token signin/decryption certificate renewal (public cert)

Lyncer 2013 1 Reputation point
2021-01-29T11:04:20.217+00:00

Hi,

Normally token signing/decryption certificates are selfsigned.
On a specific setup I inherited, they are using public certificates for token signing/decrypting.
Can someone know what's the best way to renew these certificates without impacting the ADFS environment itself right away?

It's not possible to renew them via de certificates mmc. (template not found error, which is normal of course)

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,278 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Abhijeet-MSFT 546 Reputation points Microsoft Employee
    2021-02-01T05:55:38.247+00:00

    Hi @Lyncer 2013 , you will need to get the new cert from the provider and import it to ADFS as token signin/token decrypting certificate. There are some considerations that are very well documented at https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs#if-youre-not-using-self-signed-certificates.

    Make sure the relying parties have been provided with the new cert(either through metadata or using public key).

    1 person found this answer helpful.

  2. Lyncer 2013 1 Reputation point
    2021-02-03T09:43:15.853+00:00

    Thanks!
    I will try that.

    One more question :
    What's the best way to request a new certificate for the token signing/decryption certificate?

    Do I just create a new CSR from the certificates snapin for each server with the same settings as the current signing/decryption certificates?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.