Changing default ADFS Decrypt/Signing Certificate lifetime from 1 year to X years

ADFS 2.0 and above versions have a feature called AutoCertificateRollover that will automatically updates the Decrypt and Signing certificates in ADFS, and by default these certificates will have a lifetime of 1 year. If you have federations (Relying Party Trusts) configured and the Service Provider (SP) is not using the ADFS metadata file to keep their configuration updated when ADFS changes occur, then the ADFS administrator will have to notify these Service Providers of the new Decrypt/Signing certificate thumbprints each time time the ADFS servers automatically renews the certificates.

To minimize the frequency of above task you can configure the default lifetime of the Decrypt and Signing certificates so you only have to do it every X years instead of every 1 year.

Below is the ADFS 3.0 Powershell configuration you can run to change the default lifetime to 5 years.

 

See below for how it should look with new Secondary certificates created with a lifetime of 5 years. When the date 3/23/2019 is reached, the ADFS server will automatically activate the (currently) Secondary certificates and update its metadata file accordingly. For any federations that do not use the ADFS metadata file those SPs will have to update the decrypt/signing certificate thumbprints on their side on this particular date (and specific hour, to minimize any downtime of the federation trust).

If you have any questions or comments on above, feel free to leave a message here or email me directly at rasmus.kindberg@xenit.se.

 

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.