This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 28.000000000000004%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hello guys!
I'm doing my first cycle of token certs renewal. At this moment I have 2 for both, Primary and Secondary. Everything seems to be just fine.
I'm trying to be ahead of the game and tried to replace the RP configuration in advance. I did it for my first RP and replaced the old cert with the new one (signing) and everything worked just fine! Hell yeah, so easy!!!
So I decided to move to the second RP and for my surprise it did not work. So I tried one more RP and same thing! I did the forth and omg same thing.
So now I'm confuse but I did some research and looks like the RP must have be able to "read/understand/work" with those 2 certs, Primary and Secondary. Is this really the case?
I have about 10 RP/applications and 1 I need the vendor to perform the change. Some I can do it on the Operating System (Linux) changing the config file and some others I really need to access the UI and change it over there, of course authenticated. So 9 are on premises and 1 is like a SaaS.
That said, how am I supposed to perform this configuration/rollout?
If the cert expires, I will not be able to login on the application/RP to change the configuration to the newer cert.
Please, some advise, guidance, lesson learned is very welcome!
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello:
Normally the ADFS certificates auto renew automatically. According to the interval.
In other to force the process.Take a look at powershell:
Set-ADFSProperties -AutoCertificateRollover $true
Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent
Set-ADFSProperties -AutoCertificateRollover $false
Best Regards
Enrique Velazquez
Hi Enrique,
Thanks for helping me out. The commands and the autorenew I'm aware of this, but my question is about the process in how to enroll the new cert.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 96%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
It is not always possible to move off ADFS, as AzureAD does not support features like MFA External Providers, while ADFS does (in fact, going through this issue exactly now)