On the ADFS Server:
Import the new SSL certificate in the computers MY“ certificate store.
Run a elevated Powershell to get the thumbprint of the certificate.
cd cert:
cd localmachine
cd my dir
Identify the thumbprint in the output. In my case: 1E8B377DD54B7650612C98E4B8816501B
Switch ADFS service communication certificate to the new SSL certificate with this cmdlet
Set-AdfsCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4B -CertificateType Service-Communications
Set the ADFS SSL certificate with this cmdlet and proof it with
netsh Set-AdfsSslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985
netsh http show sslcert
Verifiy that „read“ access for the ADFS service account was granted on the certificate. Open „certlm.msc“, select the new SSL certificate and select „All Tasks / Manage private keys“.
Since this is a „Virtual Account“ we can see „NT SERVICE\adfssrv“ should have read access.
Restart the ADFS service Restart-Service adfssrv
On the WAP Server:
Import the new SSL certificate in the computers „MY“ certificate store.
Configure the WAP service for the new certificate with this cmdlet.
Set-WebApplicationProxySslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4
Re-establish the proxy trust with this cmdlet.
Install-WebApplicationProxy -CertificateThumbprint 1E8B377DD54B7650612C98E4B8816501B4B -FederationServiceName sts.youradfsservice.com
This step is missing in most documentations if you have existing WAP published applications. Since every published application is configured seperately with a SSL certificate we had to change every app. All applications in my infrastructure were published with the same certificate, so I’m able to switch all apps to the new certificate with this cmdlet:
Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint 1E8B377DD54B7650612C98E4B88165
