...
Step 1 : Add Certificates to ADFS
- Token-Signing
SetAdd-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint "thumbprint of signing cert" <optional switch to make it primary -IsPrimary>
- Token-Decrypting
SetAdd-AdfsCertificate -CertificateType "Token-Decrypting" -Thumbprint "thumbprint of decrypting cert" <optional switch to make it primary -IsPrimary>
Step 2 : Upload new Metadata
...
- Upload the XML from https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml to metadata.swamid.se/admin.
- Remove the SP / IdP part if the ADFS isn't going to be used as both roles.
- Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity
- Request publication.
- Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and 48 h in eduGAIN) for all entities to pick up the new cert/key.
Step 3 :
...
Certificate rollover
Automatic rollover
When does this happen? In the Get-AdfsProperties command, you can check the value for CertificateCriticalThreshold. Default
The default setting is 2 and it means that ADFS will switch the certificates two days before their expiration date weather you want it to or not.
The next parameter of interest is CertificatePromotionThreshold, the default value of 5 means the old certificate will be present as a secondary certificate for five days after rollover.
Manual rollover
This can be done in the console by right clicking on the certificate and select "Set as primary" or by powershell
Set-AdfsCertificate -CertificateType "Token-Decrypting/Token-Signing" -Thumbprint "thumbprint of cert" -IsPrimary
Step 4 : Upload new Metadata again
...
Step 5 : Disable / remove key from software.
Remove old certificates from console or with powershell
Remove-AdfsCertificate -CertificateType "Token-Signing or Token-Decrypting" -Thumbprint "thumbprint"