ADFS certficate export

Aamir Masthan 41 Reputation points

Hello team

we need to export ADFS token signing and token decrypting certificate with private key

but when we do it export /copy do not get option to export keys

Please advise

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
997 questions
No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,066 Reputation points Microsoft Employee

    Hello -

    Do you mean the self-signed certificates which are automatically generated? Why would you export them?
    You don't need them when you upgrade the farm as you upgrade by adding new nodes to an existing farm.
    They are in the backup when you use ADFS Rapid Restore and got restored with the same tool.
    You don't need them to create a trust neither with an IDP nor an SP.

    So I am curious :)

  2. Aamir Masthan 41 Reputation points

    Hello Piaudonn,

    Yes the self signed certficates which are auto rollover.

    there is a reason for exporting it, please let me if it is possible?


    Aamir Masthan

  3. Aamir Masthan 41 Reputation points

    we are building the test environment with the same ADFS farm, by taking vm snapshot

  4. Pierre Audonnet - MSFT 10,066 Reputation points Microsoft Employee

    The test environment could have a different cert then, if it has a different name, a different AD etc... And if that's the same "cloned" AD environment then just the snapshot you do will have the cert in it (although that's also not a supported way to backup/restore ADFS, recommendation for backup/restore is to use the Rapid Restore tool).
    Anyhow, I am afraid that doesn't seem to be a good reason. Besides, test environments are also usually not secured the same way as the production environments (more admins, no restrictions, no monitoring, etc...). So putting the actual keys in dev would considerably decrease your overall security posture.
    If the intent of the test environment is to create test relying party trusts (for example to check claim rules or access policies), you can do create a test RP with the Claim X-Ray.

  5. Aamir Masthan 41 Reputation points


    let me explain more in detail

    we have ADFS servers in two data-center A & B on different region which load balanced with GTM.

    we are planning to re-build the ADFS servers on one region.

    DB server will get replicated from B , once we rebuild A.

    however the challenge is the certificate for ADFS servers on region A.

    Please advise