ADFS : Update token signing/decrypting

If you decide that you want to immediately generate new self-signed certificates, then you need to first re-enable AutoCertificateRollover and then issue a PowerShell command to invoke immediate certificate generation.
PowerShell command to re-enable AutoCertificateRollover:
Add-PSSnapin Microsoft.Adfs.Powershell
Set-ADFSProperties -AutoCertificateRollover $true
PowerShell command to immediately generate new self-signed certificates:
Add-PSSnapin Microsoft.Adfs.Powershell
Update-AdfsCertificate -Urgent
NOTE: Be aware that there is an AD FS service outage incurred when the Token-Decrypting or Token-Signing certificates are updated because the relaying parties must update their configuration to expect the new certs. Do this work when users are least impacted by the outage.
Set Self Signed Certificates to 10 years
    Set-ADFSProperties CertificateDuration 3650 -AutoCertificateRollover $true
    Force update to new certificates

    Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
    Update-AdfsCertificate -CertificateType Token-Signing -Urgent
    Disable auto rollover after updating to 10 year certs (not required if you keep the 2 year default)

    Set-ADFSProperties -AutoCertificateRollover $false

    Update Office 365 Metadata (not required if you do not have Office 365)
    Update-MsolFederatedDomain -DomainName -SupportMultipleDomain
    Previous Post Next Post

    Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„