Rolling Over a Token-signing Certificate
Applies To: Windows Server 2003 R2
When you need to replace a token-signing certificate on a server that is running the Federation Service component of Active Directory Federation Services (ADFS), either due to expiration or suspicion of tampering, use the procedures in this task to roll over the certificate in a manner that eliminates any significant lapse of certificate validity on the servers.
Configure the public key of every certificate that you replace as a verification certificate on any other servers in the same federation server farm. This configuration occurs automatically when you select the token-signing certificate for use on the server. In addition, if the Federation Service is acting in the account role, the certificate must be configured as a verification certificate for the account partner by any trusting resource partners. To accomplish this configuration, you must export the public key of the certificate to make it available for adding to the account partner.
When the same token-signing certificate is shared among multiple servers in a server farm, the private key of the new token-signing certificate must be exported and then imported on all other servers in the server farm. If a different token-signing certificate is installed on each server in the federation server farm, this additional import step is not required and each server uses a unique private key. The public key is always shared as the verification certificate through the trust policy.
Task requirements
You need the following to perform the procedures for this task:
If you are using self-signed certificates, you can use the makecert.exe utility, which is available for download on the Microsoft Web site.
Active Directory Federation Services MMC snap-in.
To complete this task, perform the following procedures:
Install a new token-signing certificate, as follows:
If you are using Microsoft Certificate Services as an enterprise certification authority (CA), obtain a new code signing certificate according to the instructions in "Submit an advanced certificate request via the Web to a Windows Server 2003 CA" (https://go.microsoft.com/fwlink/?linkid=64020. Specify installing the certificate into the local certificate store.
If you are using a different enterprise CA or a public CA, follow the instructions provided by the CA.
Alternatively, Create a self-signed, token-signing certificate.
Configure the private key, if needed, on all servers in a server farm where federation servers use the same private key, as follows:
If you are implementing a server farm of federation servers that share a single, exportable private key certificate that is issued by an enterprise certification authority (CA) directly into the certificate store, first use the procedure Export the private key portion of a token-signing certificate to make it available for importing into the local certificate stores of the other servers in the farm. Then, on all other servers in the farm, import the exported certificate into the local store.
If you are implementing a server farm of federation servers that share a single, exportable private key certificate that is issued by a public certification authority (CA), import the certificate into the local certificate store.
For information about how to import the certificate into the certificate store, see Import a certificate (https://go.microsoft.com/fwlink/?linkid=22763).
If the server is acting in the account role, do the following:
On the federation server for which you obtained a new token-signing certificate in step 1, use the procedure Export the public key portion of a token-signing certificate to create a file that can be used as a verification certificate.
Provide the exported certificate to the resource partner and instruct the resource partner to perform the procedure Add a verification certificate to an account partner to configure the account partner with the new verification certificate.
Confirm that the partner organization has added the new verification certificate.
Select the new verification certificate to Change the token-signing certificate that a federation server uses. Newly issued tokens will now use this certificate. This procedure also adds the verification certificate to the trust policy. Perform this procedure as follows:
If you are sharing the same token-signing certificate among all servers in the server farm, perform this procedure on one federation server in the server farm.
If you are using separate token-signing certificates for each server in the server farm, perform this procedure on each federation server in the server farm.
Inform the partner organizations that it is safe to remove the original verification certificate.
On all servers on which you selected the new verification certificate in step 4, remove verification certificates, as follows:
Use the procedure Remove a verification certificate to remove the old verification certificate from the trust policy.
Note
To prevent the need for users who have already logged on to be authenticated again,, wait 10 hours (the default lifetime of an access token for the Federation Service) or until all access tokens have expired before you remove the existing verification certificate.
In the case of a Federation Service in the account role, instruct the resource partner to remove the old verification certificate from the account partner in the resource Federation Service. In this case, follow the same procedure but use the Verification Certificates tab in the account partner node properties instead of the Trust Policy node properties.
Delete the old token-signing certificate from the certificate store. For information about how to delete a certificate from a certificate store, see Delete a certificate (https://go.microsoft.com/fwlink/?linkid=62715).