ADFS Step-By-Step: to renew SSL certificate for federation metadata URL
This document outlines the steps to renew the SSL certificate for ADFS claims providers federation metadata URL.
1) To take the application ID and the certificate hash run the below command.
netsh http show sslcert
https://exchangequery.files.wordpress.com/2018/01/adfs1.png?w=600
Copy only application id value. This we require for the certificate renewal. Better to take a copy of the results.
2) Run this command to see the ADFS listeners.
netsh http show urlacl
https://exchangequery.files.wordpress.com/2018/01/adfs2.png?w=600
This is just to take a copy of the ACL URLs before the certificate renewal. This part is so sensitive because ADFS will have some URL reservations in the HTTP.SYS. This will help us just in case if we face any issues after the certificate renewal.
3) Delete the old certificates.
$Command = “http delete sslcert hostnameport=adfs.exchangequery.com:443”
$Command | netsh
$Command = “http delete sslcert hostnameport=adfs.exchangequery.com:49443”
$Command | netsh
$Command = “http delete sslcert hostnameport=localhost:443”
$Command | netsh
$Command = “http delete sslcert hostnameport=EnterpriseRegistration.exchangequery.com:443”
$Command | netsh
4) Delete the old host IP and port entries.
$Command = “http delete sslcert hostnameport=0.0.0.0:443”
$Command | netsh
5) Now we can add the new certificates.
Prerequisite:
Take the APP ID which was noted down in step 1.
Take the certificate hash. This can be taken from the new certificate thumbprint.
An example below – remove all the spaces and copy the new certificate hash value.
https://exchangequery.files.wordpress.com/2018/01/adfs3.png?w=600
# APP ID
$guid = “paste the appid here”
# Cert Hash
$certhash = “paste the certificatethumbprint”
To renew actual metadata URL:
$hostnameport = “adfs.exchangequery.com:443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY sslctlstorename=AdfsTrustedDevices clientcertnegotiation=disable”
$Command | netsh
To renew localhost:
$hostnameport = “localhost:443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY sslctlstorename=AdfsTrustedDevices clientcertnegotiation=disable”
$Command | netsh
To renew Device Registrations:
$hostnameport = “adfs.exchangequery.com:49443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY clientcertnegotiation=enable”
$Command | netsh
The above is required because changes were made in ADFS on Windows Server 2012 R2 to support Device registration and happens on port 49443.
$hostnameport = “EnterpriseRegistration.exchangequery.com:443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY sslctlstorename=AdfsTrustedDevices clientcertnegotiation=disable”
$Command | netsh
The above is also required for device registration service.
Hope this helps.