Thank you to Martin Buist @ http://www.martinbuist.com/windows-server-2012r2/how-to-change-token-cer…
Once a year a new token certificate needs to be extended in ADFS. If you have autocertificate enrolment on then this wil happen automaticly. However you need to inform the Relying party trust of the new token certificate if they do not use you adfs xml. Most partys do not use this.
How does it work.
By default the adfs server creates a new certificate 20 days before the primary token certificate expires. 5 days before expiring date the new certificate will be made primary. In this time frame you need to inform your relying party trust and give them the new ADFS certificate.
Lets face it. This is not enough time for most partys in my experience. So we need to extend this. Most of us do not want to do this every year. So let’s make this certificate 10 years.
Log on to you ADFS server and open up a Admin powershell. Put in the following command:
Set-ADFSProperties -CertificateDuration 3650
This will set the new certificate on 10 years. Now here is the catch. Once the certificate has been made. You have 5 days left to inform your relying partys until the new certificate will be made primary. If it is not updated within this time frame that relying party will not work any more.
You can put this on more days but it must not exceed the primary certificate expiration date. For example if you want ADFS to create a new certificate 50 days before. Put in the command
Set-AdfsProperties -CertificateGenerationThreshold 50
If you want more then 5 days. Put in the command
Set-ADFSProperties -CertificatePromotionThreshold 10
You can also create a certificate manually. But keep in mind. Once you create a certificate manually. You have 5 days before your ADFS server makes it primary unless you change this value before you create the new certificate
The following command will create the certificates
Update-ADFSCertificate –CertificateType token-signing
Update-ADFSCertificate –CertificateType token-decrypting
If you create a certificate and want to remove it. You can use the following command
NOTE from Tudor – Turn off rollover first: Set-ADFSProperties -AutocertificateRollover $false
Remove-ADFSCertificate -CertificateType token-signing -Thumbprint
Remove-ADFSCertificate -CertificateType token-decrypting -Thumbprint
NOTE from Tudor – Turn on rollover: Set-ADFSProperties -AutocertificateRollover $True
You can find the has by insert this command
Get-AdfsCertificate –CertificateType token-signing
Get-AdfsCertificate –CertificateType token-decrypting
If you have office 365 it should automaticly pick up the certificates. If it does not you need to update this by using the following powershell commands
$cred = Get-Credential
Connect-MsolService -Credential $cred
Update-MsolFederatedDomain -DomainName domain.com -SupportMultipleDomain