Expiring certificate for https://adfs.contoso.com, you say? Considering Let’s Encrypt goodness, that should be easy to fix, right?
- Import new certificate (make sure to include private key)
- Grant permission to AD FS service account to read the private key
- Open AD FS manager, navigate to AD FS > Service > Certificates
- Click Set Service Communications Certificate… and select new certificate
Done, right? So why all these ERR_CONNECTION_RESET errors and general snafu? That’s because old certificate is still lurking around in the configuration and a bit of PowerShell is needed to oust it out.
# that will show old thumbprint hanging around Get-AdfsSslCertificate # get the thumbprint of the new certificate $thumb = (Get-AdfsCertificate -CertificateType ` Service-Communications).Thumbprint # and fix it Set-AdfsSslCertificate -Thumbprint $thumb
The restart AD FS service and it’ll be as good as new! The mix of UI and PowerShell can be very confusing, especially for noob administrators like me.