ADFS certficate export

Aamir Masthan 41 Reputation points
2020-05-11T12:38:44.663+00:00

Hello team

we need to export ADFS token signing and token decrypting certificate with private key

but when we do it export /copy do not get option to export keys

Please advise

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
959 questions
No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2020-05-11T12:58:45.927+00:00

    Hello -

    Do you mean the self-signed certificates which are automatically generated? Why would you export them?
    You don't need them when you upgrade the farm as you upgrade by adding new nodes to an existing farm.
    They are in the backup when you use ADFS Rapid Restore and got restored with the same tool.
    You don't need them to create a trust neither with an IDP nor an SP.

    So I am curious :)

    No comments

  2. Aamir Masthan 41 Reputation points
    2020-05-11T13:50:48.67+00:00

    Hello Piaudonn,

    Yes the self signed certficates which are auto rollover.

    there is a reason for exporting it, please let me if it is possible?

    Thanks

    Aamir Masthan


  3. Aamir Masthan 41 Reputation points
    2020-05-11T16:35:29.51+00:00

    we are building the test environment with the same ADFS farm, by taking vm snapshot

    No comments

  4. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2020-05-11T16:47:15.717+00:00

    The test environment could have a different cert then, if it has a different name, a different AD etc... And if that's the same "cloned" AD environment then just the snapshot you do will have the cert in it (although that's also not a supported way to backup/restore ADFS, recommendation for backup/restore is to use the Rapid Restore tool).
    Anyhow, I am afraid that doesn't seem to be a good reason. Besides, test environments are also usually not secured the same way as the production environments (more admins, no restrictions, no monitoring, etc...). So putting the actual keys in dev would considerably decrease your overall security posture.
    If the intent of the test environment is to create test relying party trusts (for example to check claim rules or access policies), you can do create a test RP with the Claim X-Ray.

    No comments

  5. Aamir Masthan 41 Reputation points
    2020-05-12T07:05:08.407+00:00

    Hello

    let me explain more in detail

    we have ADFS servers in two data-center A & B on different region which load balanced with GTM.

    we are planning to re-build the ADFS servers on one region.

    DB server will get replicated from B , once we rebuild A.

    however the challenge is the certificate for ADFS servers on region A.

    Please advise