ADFS Multiple certificates from "Microsoft PolicyKeyService Certificate Authority"

Ron 31 Reputation points
2021-03-15T09:30:41.267+00:00

Recently I start receiving that certificates on our ADFS server are about to expire.
So first I looked in the ADFS management console, Service, Certificates.
But all certificates like Service Communications, Token-decrypting and Token-signing are up-to-date.

So I start looking at the local certificate store, to find out all the certificates are all issued by CN=Microsoft PolicyKeyService Certificate Authority.
And there are a lot of them!
77670-overview-certificates.jpg

When I searched the web I did found out that they have something to do with the Health service. There are just a few similar cases, but none of them answer my questions, hopefully they will be answered here.

  1. Is there an option to renew them manually to get rid of the expiration warning events?
  2. Why are there so many certificates?
  3. Is it safe to remove them once they expire?

I hope somebody can help me on this issue.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,223 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,601 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2022-04-29T00:37:09.207+00:00

    AFAIK, those are certificates generated by the installation and updates of the Azure AD Connect Health agent.
    It uses only the latest one and renew automatically every 6 months I believe.
    In any cases, it is safe to remove the one which have expired and even the one which have been superseded by a more recent one (even if it hasn't expire).
    Hope this helps!

    1 person found this answer helpful.
    0 comments No comments