X

Articles

ADFS Certificate Maintenance Part 2

ADFS Certificate Maintenance Part 2

The solution

Some research indicated that the process of exporting the certificate to a pfx file and reimporting the file would do the trick but that clearly hadn’t worked in this case. Likewise, using a procedure from an article on the Microsoft website that suggested that using certutil -importpfx also failed as it would appear to be unsupported on Windows 2016.

The Microsoft document that referenced the use of certutil -importpfx did at least give hope that it was possible to change the keyspec value and, with some vague memory of doing something like this before, it was back to basics time which meant using the Windows version of the openssl utility.

The plan was therefore to export the key from the existing pfx file and then export the certificate. These would be recombined into a new PFX file and this would be re-imported into the ADFS and web application proxy servers. If the keyspec value was now 1 – as it to be for use as a service communications certificate – then the new certificate could then be used as a service communications certificate

First, we break apart the orginal PFX file (adfscert.pfx in this example),

openssl pkcs12 -in c:\temp\adfscert.pfx -out c:\temp\newadfscertkey.pem -nocerts openssl pkcs12 -in c:\temp\adfscert.pfx -out c:\temp\newadfscert.crt -nokeys

Then merge them back into a PFX file

openssl pkcs12 -export -in newadfscert.crt -inkey newadfscertkey.pem -out mergedadfscert.pfx

Next, import the merged PFX certificate into the certificate store on the ADFS and web application proxy servers.

  1. Use the set-adfssslcertificate PowerShell command as before to update the SSL certificate used by ADFS
  2. Use the set-adfssslcertificate PowerShell command as before to update the SSL certificate used by ADFS
  3. Restart the ADFS services on the ADFS and web application proxy servers to ensure that the change has applied

Now you will be able to change the service communications certificate. It was unclear why the returned certificate had a keyspec of 0 instead of 1 and the only change from the old certificate was the use of a different certification authority. My guess would be that someone ticked the wrong box when the certificate request as submitted. Nevertheless, the problem was resolved, and the customer could use their ADFS for another 2 years.

Related

Tags

ADFS, Certificates, SSL

Categories

Security, ADFS, Active Directory

Share

Post a Comment

Categories

  • ADFS
  • DNN
  • SCCM
  • Security
  • Office 365

Contact Details

Taur Productions Ltd.

  •  Suite 112,
  •  98 Woodlands Road
  •  Glasgow
  •  G3 6HB
  •  UK

The Company

Taur Productions is a IT services company with considerable experience in Active Directory design, SCCM and Office 365/Microsoft Exchange based messaging systems. Our specialisations include  Wintel server and network troubleshooting, server security remediation, virtualisation, mail migrations, web application deployment and application performance tuning.

fsb logo