Changing default ADFS Decrypt/Signing Certificate lifetime from 1 year to X years

Posted in : ADFS, Microsoft, Powershell By Rasmus Kindberg Translate with Google ⟶

5 years ago

ADFS 2.0 and above versions have a feature called AutoCertificateRollover that will automatically updates the Decrypt and Signing certificates in ADFS, and by default these certificates will have a lifetime of 1 year. If you have federations (Relying Party Trusts) configured and the Service Provider (SP) is not using the ADFS metadata file to keep their configuration updated when ADFS changes occur, then the ADFS administrator will have to notify these Service Providers of the new Decrypt/Signing certificate thumbprints each time time the ADFS servers automatically renews the certificates.
To minimize the frequency of above task you can configure the default lifetime of the Decrypt and Signing certificates so you only have to do it every X years instead of every 1 year.
Below is the ADFS 3.0 Powershell configuration you can run to change the default lifetime to 5 years.

Run below in powershell to increase certificate expiration from 1 year to 5 years (365*5 = 1825)
Set-ADFSProperties -CertificateDuration 1825
Set the amount of days prior to Primary cert expiration that ADFS should generate new Secondary certificates. We set it to 20 days below.
Set-AdfsProperties -CertificateGenerationThreshold 20
Set the amount of days after a Secondary certificate has been generated before ADFS should automatically change it to Primary. We set this to 17 days, so ADFS will auto-promote Secondary to Primarty certificate 3 days before Primary certificate expires.
Set-AdfsProperties -CertificatePromotionThreshold 17
In case there already is a 'Secondary' Decrypt and Signing certificate created on ADFS (that have not gone into effect yet) you need to delete them first so we can re-create new ones with 1825 day expiration.
If there are no Secondary cert already created for Decrypt or Signing in ADFS, jump directly to step "Create new Decrypt and Signing certificates" below
Run below to temporarily disable certificate Rollover, which is needed since ADFS will not allow us to delete Secondary certificates otherwise
Set-AdfsProperties -AutoCertificateRollover $false
Run below and note the Thumbprint value for the certificate with value 'IsPrimary: False'
Get-AdfsCertificate token-decrypting
Run below to remove the certificate with the specified Thumbprint
Remove-AdfsCertificate -CertificateType "Token-Decrypting" -Thumbprint "68009CE64C97B4438E0B838C6D7CF300594DE18E"
Run below and note the Thumbprint value for the certificate with value 'IsPrimary: False'
Get-AdfsCertificate token-signing
Run below to remove the certificate with the specified Thumbprint
Remove-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint "F0F05EA04E08F129D1BAD64A7314034AE79281A2"
Activate ADFS Certificate Rollover again
Set-ADFSProperties -AutoCertificateRollover $true
Create new Decrypt and Signing certificates:
Update-AdfsCertificate -CertificateType Token-Decrypting
Update-AdfsCertificate -CertificateType Token-Signing
Verify that the new Secondary certificates showing in ADFS GUI have a 5 year lifetime. Done.

 
See below for how it should look with new Secondary certificates created with a lifetime of 5 years. When the date 3/23/2019 is reached, the ADFS server will automatically activate the (currently) Secondary certificates and update its metadata file accordingly. For any federations that do not use the ADFS metadata file those SPs will have to update the decrypt/signing certificate thumbprints on their side on this particular date (and specific hour, to minimize any downtime of the federation trust).

If you have any questions or comments on above, feel free to leave a message here or email me directly at rasmus.kindberg@xenit.se.
 

Tags : ADFS, Certificates, Decrypt, Federation, Relying Party Trust, Signing