This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 47%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECF%3C/text%3E%3C/svg%3E)
So I am very new to AD FS and have been dropped in it.
I have an SSL Cert that is going to expire in 7 days time.
The production System has 2 AD server with FS on and 2 Proxy Server.
I have created a test plaform that mimics the production as best I can and I purchased a test SSL, however I have installed and I get a few errors, which mention certauth.adfs.mytestdomain.com
The Production enviornment does not show those errors.
The production Cert also has adfs and mfa in it (as does the test System)
So here are my Questions
certauth.adfs.mytestdomain.com is the URL used when you do certificate based authentication on port 443 (like user certificates). It is called alternate hostname binding. Historically certificate based authentication is using a different port: 49443. But because this port is often blocked in public network, starting Windows Server 2016 we introduce the ability to do the certificate based authentication over 443 but it has to use a different name.
So you can ignore this error message if you are not using certificate based authentication. If you need it and want to use it, you need to add the Subject Alternate Name certauth.adfs.mytestdomain.com to your TLS/SSL certificate. This is explained here.
Regarding the "type" certificate it is a TLS certificate It is described here. It must be a X509 v3 certificate (CNG keys are not supported) . To update the certificate, import it on the local store of each ADFS nodes, then you need two commands on the ADFS primary server.
Set-AdfsCertificate -CertificateType "Service-Communications" -Thumbprint '<thumbprint of new cert>'
Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'
This is also explained here. You also need to make sure the ADFS service account has the permissions to read the private key of the certificate. If you are using the same certificate on the WAPs (recommended), you also need to run the following on your WAP servers:
Set-WebApplicationProxySslCertificate -Thumbprint '<thumbprint of new cert>'
There is nothing to do on the relying party trusts when you update this certificate.
Token-Signing and Token-Decrypting certificates should not be TLS certificates (they could but there is no value of paying for these two). You can use the default self-signed certificates for these two. Updating those two certificates will break the trust with the relying party trusts and external claim provider trusts (not the Active Directory one though). So if you change them, tell the admins of the parties to update their configuration. This is documented here. By default we use self-signed certificates and they renew automatically.
Have a look and let us know if you need more clarity!
Hi Piaudonn,
Thank you for the really great answer, I will check out all the links in a moment.
So I have inherited this solution and not used ADFS before, so from the ADFS Panel I can see that the Token-Signing and Token Decryption are using the same SSL Cert?
Which means that I need to something with the relaying Parties? but what is it I will need to do?
Yes you will have to change those. Either with a certificate you are getting from a certificate authority (public or an enterprise one). Or switch back to the self signed certificates when those 2 expire. If you go that way, you'll have to plan the transition carefully as as soon as you update those two, you'll break the trust with your relying party trusts. To switch back to self-signed, you should be able to run something like this:
Set-ADFSProperties -AutoCertificateRollover $true
Update-AdfsCertificate -CertificateType "Token-Signing" -Urgent
Update-AdfsCertificate -CertificateType "Token-Decrypting" -Urgent
Then you should see two new cert (as secondary) in the ADFS GUI. You can mar them as primary and delete the then expired one.
Thanks once again for the super quick response.
Sorry to be a little slow on the uptake here and after reading the Guide on Secondary Certificates
I guess I will need to use a public signed certificate as it is currently set at the moment.
In that case using a new Public Cert, I guess I just follow those steps in the link above .
I then have a secondary for both the Token-Signing and Token-Decrypting, as the current SSL expires on the 4th July I could make them Primary on the 3rd July.
So I'm hoping these will be the last few questions, I hope!
So If I make them secondary, what do I need to do for the relaying Parties?
So, before my time, it appears that a new SSL Certificate for adfs.domain.com has already been purchased and looks like it has been installed on all ADFS and Proxy Servers, although, on the Primary ADFS, the account running running ADFS service was not set to read, so I have set that and will need to do the others.
On the New Cert, I noticed that the Friendly name is not adfs.domain.com, like the previous one, will that matter? 
Thanks
Chris
"I will need to use a public signed certificate" why? Based on what requirement of your environment? Most of deployments are just fine with self-signed certificates for these two. They are not used to encrypt the communication but to sign or encrypt tokens.
Hi Plaudonn,
I am only using the public certs are that is currently what is set at the moment.
I am happy to go to self-signed if that is the best option. But at the moment the Current Cert expires on the 4th July.
The company and the previous IT person has purchased a new SSL certs and have installed that on the two AD FS servers and the Proxies Servers.
So I am guessing that my process to update now should be;
Add the new SSL Cert to the Token Signing and Token Decryption as secondary. Do this, I guess will allow the relaying parties to update their information automatically if they are pulling the Metadata?
Wait a could of days and change the Service Certicate in the AD FS Admin tool over to the new Cert.
Run the Powershell Script on the Master ADFS box and update the thumbprint to point to that new Certificate. I read that this then updates all other Proxies and ADFS servers using remote powershell, but I can I run the same powershell on the other AD FS and Proxy Boxes?
Update the Binding on IIS as that also use the Certicate for the mfa.domain.com website?
One further question. I added the Public SSL Certificates as secondary on Token Signing and Decryption, I assume that that should not impact anything? Just we are now having reports that when users try to access O365 and they get redirected to the ADFS page to signin, they are getting an error?
Thanks
Chris
Just to update this.
I have created a test system, with 2 AD FS servers and Two Proxies and there own domain.
I have an SSL public Cert that I applied.
Now, I followed a MS guide on installing and I selected the Certificate, but I don't remember selecting anything for the Token Signing and Decryption, so I am guess that the 2019 version of ADFS by default assigns that public SSL to those two other servers.
I think there is a bit of confusion here. I'll try to clarify.
There are 3 different certificates in ADFS.
There are three different certs with 3 different purposes. The 1 has to be installed on the machine certificate store. By default, the 2 and 3 are automatically generated and are stored in the ADFS database.
Updating one does nothing to the other twos.
In your situation someone has configured the same certificate everywhere. Not a good practice but eh, at the end of the day, it works as long as validity period, the key usage correct and the private key accessible.
When you update the certificate 1 you have to do it at two places:
Back in Windows Server 2012 R2 ADFS, we needed to do the step 1 one time and the step 2 on each node of the ADFS farm.
Starting Windows Server 2016 ADFS, we need to do the step 1 one time and the step 2 one time too (then the primary node will contact the secondary nodes via WinRM and update their bindings too.
If you use Azure AD Connect and ADFS is configured through it, there is a wizard there to help you update the ADFS certificates.
Also, in your case you will have to update the certificate 2 and 3 too as they de facto expire. So you will have to interrupt the service for your applications and they will have to update anyways. So you could use this outage opportunity to swtich back to self-signed and lower the administrative overhead at the next certificate update. That's all I'm saying :)
I'm all for making things easier.
Thanks
Chris