This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 90%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hello team
we need to export ADFS token signing and token decrypting certificate with private key
but when we do it export /copy do not get option to export keys
Please advise
Hello -
Do you mean the self-signed certificates which are automatically generated? Why would you export them?
You don't need them when you upgrade the farm as you upgrade by adding new nodes to an existing farm.
They are in the backup when you use ADFS Rapid Restore and got restored with the same tool.
You don't need them to create a trust neither with an IDP nor an SP.
So I am curious :)
Hello Piaudonn,
Yes the self signed certficates which are auto rollover.
there is a reason for exporting it, please let me if it is possible?
Thanks
Aamir Masthan
There are no supported ways to export them.
What is the reason then? If that is a good enough reason, the lack of exportability might be addressed.
we are building the test environment with the same ADFS farm, by taking vm snapshot
The test environment could have a different cert then, if it has a different name, a different AD etc... And if that's the same "cloned" AD environment then just the snapshot you do will have the cert in it (although that's also not a supported way to backup/restore ADFS, recommendation for backup/restore is to use the Rapid Restore tool).
Anyhow, I am afraid that doesn't seem to be a good reason. Besides, test environments are also usually not secured the same way as the production environments (more admins, no restrictions, no monitoring, etc...). So putting the actual keys in dev would considerably decrease your overall security posture.
If the intent of the test environment is to create test relying party trusts (for example to check claim rules or access policies), you can do create a test RP with the Claim X-Ray.
Hello
let me explain more in detail
we have ADFS servers in two data-center A & B on different region which load balanced with GTM.
we are planning to re-build the ADFS servers on one region.
DB server will get replicated from B , once we rebuild A.
however the challenge is the certificate for ADFS servers on region A.
Please advise
I don't see how exporting the certificate would help.
Where do you rebuild the server A? In a new environment? In a new AD forest?