Auto Cert Rollover in ADFS and setting the new token signing as primary and changing the old one as secondary | Renew federation certificates for Office 365 and Azure Active Directory

Renew federation certificates for Office 365 and Azure Active Directory

Auto Cert Rollover in ADFS and setting the new token signing as primary and changing the old one as secondary 

If you get a token signing certificate when the old certificate is expiring, the new certificate will sitting only as "secondary" until the promotion threshold is met .



you cannot change the cert as Primary. It will be grayed out.

Step 1: Check the AutoCertificateRollover state

get into the Primary ADFS server


run   Get-Adfsproperties in PowerShell with elevated rights.


check if autocertificateRollover is set to "true"

here the threshold is 5 days so the new certificate will become as Primary 5 days before the expiry of the original certificate.

Step 2: Confirm that AD FS and Azure AD are in sync

Install-Module MSOnline
Connect to Azure AD using the MSOnline PowerShell-Module.Import-Module MSOnlineConnect-MsolService
Check the certificates configured in AD FS and Azure AD trust properties for the specified domain.Get-MsolFederationProperty -DomainName <domain.name> | FL Source, TokenSigningCertificate
If the thumbprints in both the outputs match, your certificates are in sync with Azure AD.

if not run Update-MSOLFederatedDomain –DomainName <domain>

Renew the token signing certificate automatically (recommended) 

You don't need to perform any manual steps if both of the following are true:You have deployed Web Application Proxy, which can enable access to the federation metadata from the extranet.You are using the AD FS default configuration (AutoCertificateRollover is enabled).Check the following to confirm that the certificate can be automatically updated.

1. The AD FS property AutoCertificateRollover must be set to True. This indicates that AD FS will automatically generate new token signing and token decryption certificates, before the old ones expire.

2. The AD FS federation metadata is publicly accessible. Check that your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet (off of the corporate network):https://(your_FS_name)/federationmetadata/2007-06/federationmetadata.xmlwhere (your_FS_name)is replaced with the federation service host name your organization uses, such as fs.contoso.com. If you are able to verify both of these settings successfully, you do not have to do anything else.

Example: https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml

REFER:


https://blogs.msdn.microsoft.com/vilath/2015/09/02/how-to-update-certificates-for-ad-fs-3-0/