Update SSL Certificate on ADFS and WAP

Created by Rohit Yadav, Modified on Fri, 14 Jul, 2023 at 4:15 PM by Rohit Yadav

  1. Buy an SSL certificate from GoDaddy.
  2. Create a CSR using DigiCert Utility (DigiCert Certificate Utility for Windows | DigiCert.com).
    On your Windows Machine, download and save the DigiCert Certificate Utility for Windows | DigiCert.com
    Run the DigiCert® Certificate Utility for Windows.
    Double-click DigiCertUtil.
    In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.


    On the Create CSR page, enter the following information:

    On the DigiCert Certificate Utility for Windows© - Create CSR page, do one of the following and then click Close:
    Click Copy CSR. - Copies the certificate contents to the clipboard.
    Click Save to File - Saves the CSR as a .txt file to the Windows Machine.

     
  3. Re-Key your SSL certificate using GoDaddy.
    Login to GoDaddy Portal, Navigate to Certificate Page, then click on Re-key your certificate.
    Paste the CSR, then click on Submit.
    You received the notification once the certificate ready.
    Open the link and download the certificate.


  4. Export Your SSL Certificate Private Key Using the DigiCert Certificate Utility
    Open DigiCert tool.
    Click on Import and Select the .Cer file which you downloaded previously.
    After Importing the certificate, select the certificate and export with Private key.
    In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next
    Note:This password is used when you import the SSL Certificate onto other Windows type servers or other servers or devices that accept a .pfx file. 

    After you receive the "Your certificate and key have been successfully exported" message, click OK.

  5. Using the MMC to Import the SSL Certificate .pfx File into the AD FS Personal Store

    1. On your Windows AD FS server, open the Microsoft Management Console (MMC) as an admin.

      1. From the Windows Start screen, type mmc.exe.

      2. Right-click on mmc.exe.

      3. In the menu at the bottom of the screen, click Run as administrator.

    2. In the User Account Control window, click Yes to allow the program to make changes to the computer.

    3. In the MMC Console, in the menu at the top, click File > Add/Remove Snap-in.

      MMC Console

    4. In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates and then, click Add.

      MMC Console - Add or Remove Snap-ins

    5. In the Certificates snap-in window, select Service account and then, click Next.

      MMC Console - Certificates snap-in

    6. In the Select Computer window, select Local computer: (computer this console is running on), and then, click Next.

      MMC Console - Select Computer

    7. In the Certificate snap-in window, select AD FS Windows Service and then, click Finish.

      MMC Console - Certificate snap-in

    8. In the Add or Remove Snap-ins window, click OK.

    9. In the MMC Console, in the console tree, expand Certificates - Service (AD FS Windows Service) > Personal, and then, click Certificates.

      MMC Console

    10. Right-click on the center section and then click All Tasks > Import to open the Certificate Import Wizard.

    11. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.

    12. On the File to Import page, click Browse to browse to the SSL Certificate .pfx file that you exported earlier, select the file, and then, click Open.

      MMC Console - Certificate Import Wizard - File to Import

    13. On the File to Import page, click Next.

    14. On the Private key protection page, do the following thing and then, click Next:

      • In the Password box, enter the password you created to export your SSL Certificate as a .pfx file.
      • Check Mark this key as exportable.
      • Check Include all extended properties.
    15. MMC Console - Certificate Import Wizard - Private key protection

    16. On the Certificate Store page, make sure that Place all certificates in the following store is selected and the Certificate store box is populated with the Personal store, and then, click Next:

      MMC Console - Certificate Import Wizard - Certificate Store

    17. On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.

      MMC Console - Certificate Import Wizard - Completing the Certificate Import Wizard

    18. You should receive "The import was successful" message.

      Now that you have successfully imported the SSL Certificate .pfx file into AD FS Personal Store, use the AD FS management console to assign the SSL Certificate to the AD FS service.

  6. Using the AD FS Management Console to Assign the SSL Certificate to the AD FS Service

    • On your Windows AD FS server, open the AD FS management console as an admin.

      1. From the Windows Start screen, type ad fs management.

      2. Right-click on AD FS Management.

      3. In the menu at the bottom of the screen, click Run as administrator.

    • In the User Account Control window, click Yes to allow the program to make changes to the computer.

    • In the AD FS Console window, in the console tree, expand Services, right-click on the Certificates folder, and select Set Service Communications Certificate.

      AD FS Management Console

    • Now, in the Windows Security window, select the new SSL Certificate that you just imported in to the AD FS Personal Store in the previous section and then, click OK.

    • In the AD FS Management window, a private key warning reminds you that the selected certificate’s private key must be accessible.

      This is a reminder that you need to ensure that the private key was correctly associated with your SSL Certificate during the installation process.

    • Click OK.

      Your SSL Certificate should be successfully assigned to the AD FS Service.

  7. Get the Thumbprint of your SSL Certificate

    • Open the Microsoft Management Console (MMC) snap-in for certificates. (See How to: View Certificates with the MMC Snap-in.)

    • In the Console Root window's left pane, click Certificates (Local Computer).

    • Click the Personal folder to expand it.

    • Click the Certificates folder to expand it.

    • In the list of certificates, note the Intended Purposes heading. Find a certificate that lists Client Authentication as an intended purpose.

    • Double-click the certificate.

    • In the Certificate dialog box, click the Details tab.

    • Scroll through the list of fields and click Thumbprint.

    • Copy the hexadecimal characters from the box. If this thumbprint is used in code for the X509FindType, remove the spaces between the hexadecimal numbers. For example, the thumbprint "a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b" should be specified as "a909502dd82ae41433e6f83886b00d4277a32a7b" in code.


  8. Using PowerShell to Enable Your SSL Certificate

    Open the PowerShell on you server as an Administrator.

    • In the Administrator: Windows PowerShell window, run the following command:

      Set-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx
    • Restart the AD FS Service.

    • To confirm that the certificate is enabled, in PowerShell (run as administrator), run the following command:

      Get-AdfsSslCertificate –Thumbprint xxxxthumbprintofthenewsslcertxxxxx
    • Your SSL Certificate should now be enabled.

  9. Verify the certificate on ADFS and WAP

    Run the following command on PowerShell
    netsh http show sslcert
    Verify the thumbprint of the certificate.
    If the thumbprint is not matched with the new one certificate. Delete the thumbprint and add new one using below command: -
    To Delete - Netsh http delete sslcert hostnameport=certauth.adfs.contoso.com:443
    To Add - Netsh http add sslcert hostnameport=certauth.adfs.contoso.com:443 certhash="4e3d09fa9b233a08c144317e6d17ec33e3a793d5" appid="{5d89a20c-beab-4389-9447-324788eb944a}" certstorename=MY 
    Then, run the following command again and confirm that the thumbprint is up to date.
    netsh http show sslcert



Rekey my certificate | SSL Certificates - GoDaddy Help IN

Manage TLS/SSL Certificates in AD FS and WAP in Windows Server 2016 | Microsoft Learn

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article