Replace ADFS/WAP SSL certificates

As every year I had to replace the SSL certificates on my ADFS/WAP infrastructure. And as every year I’m searching the internet how to do this 🙂 Usual search results are:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap

https://blogs.technet.microsoft.com/rmilne/2016/03/21/updating-windows-server-2012-r2-adfs-ssl-and-service-certificates/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2013/11/13/replace-certificates-on-adfs-3-0/

But unfortunately both are not 100% complete and accurate. Here is my procedure.

On the ADFS Server:

  • Import the new SSL certificate in the computers „MY“ certificate store.
  • Run a elevated Powershell to get the thumbprint of the certificate.
    cd cert:
    cd localmachine
    cd my
    dir

    Identify the thumbprint in the output. In my case: 1E8B377DD54B7650612C98E4B8816501B4BB4985

  • Switch ADFS service communication certificate to the new SSL certificate with this cmdlet
    Set-AdfsCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985 -CertificateType Service-Communications
  • Set the ADFS SSL certificate with this cmdlet and proof it with netsh
    Set-AdfsSslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985 
    
    netsh http show sslcert
  • Verifiy that „read“ access for the ADFS service account was granted on the certificate. Open „certlm.msc“, select the new SSL certificate and select „All Tasks / Manage private keys“.
    Since this is a „Virtual Account“ we can see „NT SERVICE\adfssrv“ should have read access.
    private-key
  • Restart the ADFS service
    Restart-Service adfssrv

On the WAP Server:

  • Import the new SSL certificate in the computers „MY“ certificate store.
  • Configure the WAP service for the new certificate with this cmdlet.
    Set-WebApplicationProxySslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985
  • Re-establish the proxy trust with this cmdlet.
    Install-WebApplicationProxy -CertificateThumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985 -FederationServiceName sts.youradfsservice.com
  • This step is missing in most documentations if you have existing WAP published applications. Since every published application is configured seperately with a SSL certificate we had to change every app. All applications in my infrastructure were published with the same certificate, so I’m able to switch all apps to the new certificate with this cmdlet:
    Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985
Advertisements

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden /  Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s

%d Bloggern gefällt das: