ADFS 3.0 Changing the Token certificate

There are several certificates in ADFS

  1. Service Communications — This SSL cert is used to encrypt all client connectivity to the AD FS server.
  2. Token-Signing — This x.509 cert is used to sign the token sent to the relaying party to prove that it indeed came from AD FS.
  3. Token-Decrypting — This x.509 cert used to encrypt the payload of a SAML token before its encrypted again at the SSL transport layer. It is rarely used.

For this post I am going to focus on the Token certificate. These certificates will expire and this post is about renewing the certs. There are some preambles we should discuss

  1. Do I use the self signing on cert or a public cert? Using the public cert is an unnecessary overhead and I wouldn’t recommend it.
  2. Do I update just the Token-signing? The Token-Decrypting is rarely used but its presence means that relying party that consumes the ADFS metadata will alert about expiration of the cert.
  3. How long is the TTL of the cert? By default ADFS sets the TTL of the self selfing certificate at 1 year. Increase it to 10 years or greater unless security team advises otherwise, its a huge overhead to make this update depending on how many relying party you have.
  4. Does it impact relying party? Yes, so make sure you get all the replying ready to update their ADFS info. If they consume metadata then they just have to pull the update, if they update certificate they should get ready to get the certificate. For O365 after the system has been updated, it could take 30min to 1hr for the update to propagate.

The Update on ADFS

Logon to the primary ADFS server, open an Admin PowerShell promt. Run the following command to set the TTL to 10 years

Set-ADFSProperties -CertificateDuration 3650

Run the following commands to generate a new self-signed Token signing and Token-decryting certificate

Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent

Update O365

On the ADFS server install the MSOL library if you have not already done so, that will be



Get an O365 Global Admin account. Run the following command

Update-MsolFederatedDomain -DomainName

Send signing certificate to Relying Party

  • Open ADFS manager
  • Expand Service, certificates.
  • Double Click on the Token-signing certificate.
  • Click Details tab
  • Click “Copy to file”
  • Click Next
  • Select “Base-64 encoded X.509 (.Cer)”, click next
  • Give name of the file and where it should be stored
  • click finish