Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to change the ADFS 2.0 service communications certificate after it expires


View products that this article applies to.

Symptoms

A user wants to know how to change the ADFS 2.0 Service communications certificate after it expires or for other reasons.

↑ Back to the top


Resolution

Replacing an existing ADFS Server service certificate is a multistep process.

Step 1: Install the new certificate into the local computer certificate store. To do this, follow these steps:

1.  Click Start, and then click Run.
2.  Type MMC.
3.  On the File menu, click  Add/Remove Snap-in.
4.  In the Available snap-ins list, select Certificates, and then click Add. The Certificates Snap-in Wizard starts.
5.  Select Computer account, and then click Next.
6.  Select Local computer: (the computer this console is running on), and then click Finish.
7.  Click OK.
8.  Expand Console Root\Certificates (Local Computer)\Personal\Certificates.
9.  Right-click Certificates, click All Tasks, and then click Import.

Step 2: Add to the ADFS service account the permissions to access the private key of the new certificate. To do this, follow these steps:


1.  With the local computer certificate store still open, select the certificate that was just imported.
2.  Right-click the certificate, click All Tasks, and then  click Manage Private Keys.
3.  Add the account that is running the ADFS Service, and then give the account at least read permissions.

Note  If you do not have the option to manage private keys, you may have to run the following command:

certutil -repairstore my *

Step 3: Bind the new certificate to the ADFS website by using IIS Manager. To do this, follow these steps:


1.  Open the Internet Information Services (IIS) Manager snap-in.
2.  Browse to Default Web Site.
3.  Right-click Default Web Site, and then select Edit Bindings.
4.  Select HTTPS, and then click Edit.
5.  Select the correct certificate under the SSL certificate heading.
6.  Click OK, and then click Close.

Step 4:  Configure the ADFS Server service to use the new certificate. To do this, follow these steps:


1.  Open AD FS 2.0 Management.
2.  Browse to AD FS 2.0\Service\Certificates.
3.  Right-click Certificates, and then select Set Service Communications Certificate.
4.  Select the new certificate from the certificate selection UI.
5.  Click OK.

Note You may see a dialog box that contains the following message:

The certificate key length is less than 2048 bits. Certificates with key sizes less than 2048 bits might present a security risk and are not recommended. Do you want to continue?

After you read the message, click Yes. Another dialog box appears. It contains the following message: 

Ensure that the private key for the chosen certificate is accessible to the service account for this Federation Service on each server in the farm.

This was already done in step 2. Click OK.

↑ Back to the top


Keywords: KB2504439

↑ Back to the top

Article Info
Article ID : 2504439
Revision : 5
Created on : 4/8/2011
Published on : 4/8/2011
Exists online : False
Views : 471