Replace ADFS and WAP SSL Certificates

On the ADFS Server:

Import the new SSL certificate in the computers MY“ certificate store.

Run a elevated Powershell to get the thumbprint of the certificate.

cd cert:

cd localmachine

cd my dir

Identify the thumbprint in the output. In my case: 1E8B377DD54B7650612C98E4B8816501B

Switch ADFS service communication certificate to the new SSL certificate with this cmdlet

Set-AdfsCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4B -CertificateType Service-Communications

Set the ADFS SSL certificate with this cmdlet and proof it with

netsh Set-AdfsSslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985

netsh http show sslcert

Verifiy that „read“ access for the ADFS service account was granted on the certificate. Open „certlm.msc“, select the new SSL certificate and select „All Tasks / Manage private keys“.
Since this is a „Virtual Account“ we can see „NT SERVICE\adfssrv“ should have read access.

Restart the ADFS service Restart-Service adfssrv

On the WAP Server:

Import the new SSL certificate in the computers „MY“ certificate store.

Configure the WAP service for the new certificate with this cmdlet.

Set-WebApplicationProxySslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4

Re-establish the proxy trust with this cmdlet.

Install-WebApplicationProxy -CertificateThumbprint 1E8B377DD54B7650612C98E4B8816501B4B -FederationServiceName

This step is missing in most documentations if you have existing WAP published applications. Since every published application is configured seperately with a SSL certificate we had to change every app. All applications in my infrastructure were published with the same certificate, so I’m able to switch all apps to the new certificate with this cmdlet:

Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint 1E8B377DD54B7650612C98E4B88165

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.