Tip #831: Avoiding pain when renewing certificates in AD FS

Expiring certificate for https://adfs.contoso.com, you say? Considering Let’s Encrypt goodness, that should be easy to fix, right?

  • Import new certificate (make sure to include private key)
  • Grant permission to AD FS service account to read the private key
  • Open AD FS manager, navigate to AD FS > Service > Certificates
  • Click Set Service Communications Certificate…¬†and select new certificate

Done, right? So why all these ERR_CONNECTION_RESET errors and general snafu? That’s because old certificate is still lurking around in the configuration and a bit of PowerShell is needed to oust it out.

# that will show old thumbprint hanging around
Get-AdfsSslCertificate

# get the thumbprint of the new certificate
$thumb = (Get-AdfsCertificate -CertificateType `
     Service-Communications).Thumbprint

# and fix it
Set-AdfsSslCertificate -Thumbprint $thumb

The restart AD FS service and it’ll be as good as new! The mix of UI and PowerShell can be very confusing, especially for noob administrators like me.

Tweet about this on TwitterShare on Facebook0Share on Google+0

Leave a Reply

Your email address will not be published. Required fields are marked *