Remove a verification certificate

Applies To: Windows Server 2003 R2

After you add a new verification certificate on a server that is running the Federation Service component of Active Directory Federation Services (ADFS), you must remove the old verification certificate. Removing an old verification certificate is part of the prescribed certificate rollover process by which you replace token-signing and verification certificates in a manner that prevents downtime. Use this procedure in accordance with the instructions in "Rolling Over a Token-signing Certificate."

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To remove a verification certificate

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Remove the certificate as follows:

    • If you are removing the verification certificate from the trust policy on an account or resource federation server, double-click Federation Service, right-click the Trust Policy node, and then click Properties.

    • If you are removing the verification certificate from the account partner on a trusting resource federation server, double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partners, right-click the account partner node, and then click Properties.

  3. Click the Verification Certificates tab.

  4. Click the certificate that you want to remove, click Remove, and then click OK.