다음을 통해 공유

Calculate ADFS Certificates Expiration Time

  • 아티클

Calculating ADFS Certificates Expiration Time when renewing ADFS Token Signing and Token Decrypting certificates

This post is mainly to answer most pressed questions when renewing ADFS Token Signing (TS) and Token Decrypting (TD) certificates.

Question:  
How can I know exactly when, rather exact time, hours and minutes the TS and TD  certificates are going get self-promoted to "Primary Certificates" after 5 days of being "Secondary Certificates? 

The main reason we want to know the exact time is because we have to run 
"Update-MsolFederatedDomain" immediately after the TS and TD are self-promoted to  "Primary Certificates" so that there will be no service downtime. 

Answer:
In fact we don't know the exact time, hours and minutes and it could vary case-by-case basis. However, based on my recent experience, let's say I generated / or auto rolled over on 20-May-2016 at 11:00 AM in the morning.

And by right, both certificates should have self-promoted on 26-May around 11 AM but in fact they were self-promoted to Primary Certificates on 26-May-2016 around 4:00 PM - it means it took 5 days and 4 hours +/-. 

So, now you can gauge the time when the certificate would be self-promoted to Primary. 

Assumption:
Today date: 10-May-2016
AutoCertificateRollover $true
CertificateGenerationThreshold: 20
CertficatePromotionThreshold: 5
**
**The certificates are supposed to roll over (generate two new secondary certificates) automatically on 20-May-2016, 20 prior the certificates expiration without your intervention as "AutoCertificateRollover is set to True" confirmed by running "Get-ADFSProperties". And both certificates are going to be expired on 9-June-2016.

However assumed that you generated both certificates "manually" on 10-May-2016 before its default prior 20 days kicks in. 

Questions:
The question is which day both secondary certificates will be self-promoted to Primary Certificates? 

(A) 25-May-2016  - 5 days after its default prior 20 days before certificates expiration  OR
(B) 15-May-2016 - 5 days  after you manually generated both secondary certificates? 

Answer: 
(B) - both certificates will be self-promoted 5 days after they have been manually generated.