Change the token-signing certificate that a federation server uses
Applies To: Windows Server 2003 R2
Each Active Directory Federation Services (ADFS) federation server uses a token-signing certificate to digitally sign all security tokens that it produces. Only one token-signing certificate can be in effect on a federation server. If you have installed a new token-signing certificate on a federation server and you want that certificate to be used, you will need to select that certificate in ADFS.
Perform this procedure on the account or resource federation server whose token-signing certificate you want to change.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
To change the token-signing certificate on a federation server
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Right-click Federation Service, and then click Properties.
On the General tab, under Token-signing certificate, click Select.
In the Select Certificate dialog box, click the token-signing certificate you want to use, and then click OK.
In the Federation Service Properties dialog box, click OK.
In certain cases, the Federation Service might be running in a different account and you will be prompted to allow this account to have access to the private key. Based on your deployment, give access to the private key for this account.
In the Federation Server Configuration message box, click Yes to add the new certificate to the verification certificates in the trust policy.
If you have already added this certificate to the trust policy as the verification certificate, you will not be prompted to add this new certificate.
On the General tab, under Token-signing certificate, click View to check that the selected certificate is being used.