How to update ADFS server SSL certificate?

BP123 0 Reputation points
2024-01-05T07:47:33.6433333+00:00

As shown in the link https://video2.skills-academy.com/en-us/troubleshoot/windows-server/identity/change-ad-fs-2-dot-0-service-communications

I have followed steps 1, 2, and 4 to update the SSL certificate on the ADFS server, but I am unable to complete step 3 because I cannot find IIS on ADFS server and it seems that IIS is not installed on my ADFS server? How should I update the SSL certificate of ADFS?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,569 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,526 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,219 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael John Pena 160 Reputation points MVP
    2024-01-05T11:12:52.28+00:00

    If you cannot find IIS on your ADFS server, it’s likely that IIS is not installed. However, you can still update the SSL certificate of ADFS without IIS. Here are the steps you can follow:

    Obtain your TLS/SSL certificates: For production AD FS farms, a publicly trusted TLS/SSL certificate is recommended. AD FS obtains this certificate by submitting a certificate signing request (CSR) to a third party, public certificate provider.

    Import the certificate to the local machine store on each AD FS and WAP: After you get the response from your certificate provider, import it to the local machine store on each AD FS and WAP.

    Install the new TLS/SSL certificate: On the primary AD FS server, use the following PowerShell cmdlet to install the new TLS/SSL certificate:

    Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'

    Please replace <thumbprint of new cert> with the thumbprint of your new certificate.

    The recommended way to replace the TLS/SSL certificate going forward for an AD FS farm is to use Microsoft Entra Connect. You can use the Microsoft Entra Connect tool to easily update the TLS/SSL certificate for the AD FS farm even if the user sign-in method selected is not AD FS.

    Please note that the AD FS TLS/SSL certificate isn’t the same as the AD FS Service communications certificate found in the AD FS Management snap-in. To change the AD FS TLS/SSL certificate, you need to use PowerShell.

    I hope this helps! If you have any more questions, feel free to ask.

    References:

    1. Microsoft Documentation: https://video2.skills-academy.com/en-us/troubleshoot/windows-server/identity/change-ad-fs-2-dot-0-service-communications
    2. Microsoft Entra Connect: https://www.microsoft.com/en-us/entra/connect
    0 comments