Tip #831: Avoiding pain when renewing certificates in AD FS

Expiring certificate for https://adfs.contoso.com, you say? Considering Let’s Encrypt goodness, that should be easy to fix, right?

  • Import new certificate (make sure to include private key)
  • Grant permission to AD FS service account to read the private key
  • Open AD FS manager, navigate to AD FS > Service > Certificates
  • Click Set Service Communications Certificate… and select new certificate

Done, right? So why all these ERR_CONNECTION_RESET errors and general snafu? That’s because old certificate is still lurking around in the configuration and a bit of PowerShell is needed to oust it out. 

# that will show old thumbprint hanging around
Get-AdfsSslCertificate

# get the thumbprint of the new certificate
$thumb = (Get-AdfsCertificate -CertificateType `
     Service-Communications).Thumbprint

# and fix it
Set-AdfsSslCertificate -Thumbprint $thumb

The restart AD FS service and it’ll be as good as new! The mix of UI and PowerShell can be very confusing, especially for noob administrators like me.

Leave a Reply

Your email address will not be published. Required fields are marked *