Renew ADFS and ADFS Proxy servers SSL Service Communication certificate There are 3 ADFS servers in the farm, one of them running in the Disaster Recovery network and 3 ADFS Proxy servers in the farm, one of them running in the Disaster Recovery network as shown. Assumptions: ADFS and ADFS Proxy servers version = 2.0 The document assumes that you already have the renewed public SSL certificate from your certificate provider. Your public SSL certificate has a private key associated with it. This document doesn t cover on how to renew ADFS token signing and token decrypting certificates as there are plenty of guides out there. You may have a situation where your ADFS token signing and token decrypting certificates are signed by SHA-1 and while your newly acquired public SSL certificate are SHA-2. Don t worry, they can co-exist on the same ADFS servers and are compatible, I can guarantee that it will work based on my recent experiences.
If your certificate service provider required you to upgrade to SHA-2 signed certificate, just go ahead, request SHA-2 signed CSR, send it to the SSL provider and get SHA-2 signed public SSL certificate. And follow their instruction how to import the certificates given by them. Mostly a service provider will provide you 4 certificates in total, one is the main public SSL certificate, another is Root certificate, and the other two are intermediate certificate 1 and intermediate certificate 2. Step-1 import new Root certificate to be done only at the ADFS primary server only 1 server. There is only one ADFS primary server in a farm. In my example, I ll do this step only at ADFS-1. MMC > Add/Remove snap-in > certificates > Computer Account > next > finish. Before you import any new certificates, right-click to the existing root certificate > properties > and give a friendly. So that when you import new certificates, you can differentiate which certificate is old or new. Import the new Root certificate given under Trusted Root Certification in the ADFS primary server s MMC console. (Some called it G2 root certificate). If the provider advised you to delete the existing G2 Root certificate signed with SHA-1 due to the new G2 is signed with SHA2- then you would need to delete the existing G2 root certificate** **If your SSL provider doesn t ask you to delete existing G2 Root certificate, you don t need to do that. ** Don t delete it the current existing G2, just import the new G2 root certificate first. We ll delete it only when all other certificates are imported to all ADFS and ADFS proxy servers successfully. Step-2 import two new intermediate certificates Import two new intermediate certificates given under Intermediate certification authorities at all ADFS (including ADFS Primary server) and ADFS proxy servers.
Step-3 import the new SSL certificate bearing name like, sts.abc.com or sso.abc.com Before you import any new certificates, right-click to the existing root certificate > properties > and give a friendly. So that when you import new certificates, you can differentiate which certificate is old or new. Import two new intermediate certificates given under Personal at all ADFS (including ADFS Primary server) and ADFS proxy servers. Step-4 - Change the public SSL certificate (sts.abc.com) at the IIS. Go to IIS > Default Web Site > Binding > and choose the new public SSL certificate from the dropdown list as shown. You can now delete the existing G2 Root certificate at ADFS Primary server and all other ADFS and ADFS proxy servers if they have G2 Root certificate. Regarding with G2 Root certificate, please consult with your service provider.
Step- 4.1 only to be done at the ADFS Primary server, in my case, it s ADFS-1. Go to ADFS -1> Service > Certificates > service communications > Set Service Communications certificate as shown. You will be prompted to choose certificates, choose the new certificate. *In my case, when I choose the new public SSL certificate, I faced one error message stating that the public SSL certificate I am importing doesn t have a private key associate with it. I am sure that the public cert I am importing has a private key associated with it. I tried again and choose the certificate then it went fine. If the same thing happens to you, try again.
Step-5 to be done only at ADFS Proxy servers, in my case, it s ADFS Proxy-1, 2, and 3. Launch ADFS Proxy Configuration Wizard Click Next, once asked for user name and password, type domain\administrator, for example, in my case, abc\adfsadmin and its password. That account is your Active Directory domain account who has permission to manage ADFS servers. Click Next, Next and Finish. Step-6 Testing. From the external network, go to https://sts.abc.com and check the certificate, it should reflect new certificate. Login to your Office365 portal from local network Login to your Office365 portal from external network Send and receive emails.