Share via


AD FS 2.0: Understanding AutoCertificateRollover Threshold Properties

Item

Sample Value

Description of Item

Effect

AutoCertificateRollover

True

Specifies whether the system will manage certificates for the administrator and generate new certificates before the expiration date of current certificates.

The Federation Service will maintain the Token-Signing and Token-Decrypting certificates automatically.

CertificateCriticalThreshold

2

Specifies the period of time (in days) before a current primary signing or decryption certificate expires. When this threshold occurs, the Federation Service initiates the auto-rollover service, generates a new certificate, and promotes it to be the primary certificate. This rollover process occurs even if the critical threshold interval does not provide sufficient time for partners to replicate the new metadata. This should be a short period of time that is used only in extreme conditions when the Federation Service has not been able to generate a new certificate in advance.

This value should not come into effect unless AD FS 2.0 failed to generate new certificates using the other AutoCertificateRollover parameters.

CertificateDuration

1095

Specifies the period of time (in days) that any certificates that the Federation Service generates remain valid.

New certificates generated by AutoCertificateRollover will be valid for a period of 3 years (1095 days).

CertificateGenerationThreshold

30

Specifies the period of time (in days) before a new primary certificate is generated to replace the current primary certificate. When this threshold occurs, the Federation Service initiates an auto-rollover process that generates a new certificate and adds it to the secondary collection. This rollover process occurs so that federation partners can consume this metadata in advance and trust is not broken when this newly generated certificate is promoted to be a primary certificate.

A new Secondary Token-Signing and a new Secondary Token-Decrypting certificate will be generated 30 days before the current Primary of each certificate type will expire.

CertificatePromotionThreshold

5

Specifies the period of time (in days) during which a newly generated certificate remains a secondary certificate before being promoted to be the primary certificate.

Once the certificate generation threshold has been met (30 days before Primary expiration, based on CertificateGenerationThreshold), the new Secondary certificate will remain as Secondary for 5 days, which means the old Primary will no longer be used once it is 25 days from expiration. This also means Relying Parties consuming your metadata have up to 5 days to detect your new certificate(s) before your Federation Service begins to use them as Primary.

CertificateRolloverInterval

720

Specifies the certificate rollover interval (in minutes). This value determines the frequency at which the Federation Service initiates the rollover service by polling to check whether new certificates need to be generated.

The Federation Service will compute whether it needs to perform any AutoCertificateRollover work every 12 hours (720 minutes).

CertificateThresholdMultiplier

1440

Specifies the certificate threshold multiplier. By default, this parameter uses the number of minutes in a day (1440) as a multiplier. This should be changed only if you want to use a more finely detailed measure of time (such as less than a single day) for calculating the time periods for other certificate threshold parameters in this cmdlet.

This is the default tuning value for measuring time used by the other threshold parameters. In general, this value should not be changed from 1440.