A while a go I wrote post how to change ADFS certificates part 1 and part 2. Changing ADFS SSL certificate can cause lot’s of problems if not done correctly. From AAD Connect version (1.1.553.0) Microsoft has made this easier than ever and no tricky PowerShell command are needed. Now certificate to ADFS can be changed even ADFS farm isn’t managed via AAD Connect.
Starting point was that SSL certificate from ADFS was expired
Before AAD Connect had this functionality you had to import certificate to local computer store and define it to ADFS & http.sys interface. Now this part has been automated with AAD Connect.
Select – Update AD FS SSL Certificate
Connect to Azure AD with Global Admin credentials
Connect to AD FS servers with local admin credentials to ADFS servers
Specify AD FS servers
When validated connectivity is green
Select SSL certificate file
File was imported to AAD Connect – verify file details before exporting it to ADFS instance
Select and verify server to update
All done, simple as that. Fast and easy deploy.
After change has been made last page of the wizard you can verify AD FS login with end-user account which in my case was successful
From AD FS, I can see that SSL certificate has been changed (expiration date & thumbprint)
Old certificate thumbprint started with ec886… and new one with 2f57….
View from the WAP server where result is the same, certificate changed to all necessary locations and service is up and running normally.
There is one reason more to upgrade your environment to latest AAD Connect version or at least to 1.1.553.0. This feature is very useful and avoids a lot of mistakes with ADFS certificate configuration.