Rolling Over a Client Authentication Certificate
Applies To: Windows Server 2003 R2
When a client authentication certificate must be replaced on a server that is running the Federation Service Proxy component of Active Directory Federation Services (ADFS), use the procedures in this task to roll over the certificate in a manner that eliminates any significant lapse of certificate validity on the servers.
After a new client authentication certificate is installed on the first federation server proxy, the public portion of the client authentication certificate must be exported and added to the trust policy for the Federation Service.
Task requirements
You need the following to perform the procedures for this task:
If you are using self-signed certificates, you can use the makecert.exe utility, which you can download from https://go.microsoft.com/fwlink/?linkid=63617.
Active Directory Federation Services MMC snap-in.
To complete this task, perform the following procedures:
Install a new token-signing certificate, as follows:
If you are using Microsoft Certificate Services as an enterprise certification authority (CA), obtain a new client authentication certificate according to the instructions in "Submit an advanced certificate request via the Web to a Windows Server 2003 CA" (https://go.microsoft.com/fwlink/?linkid=64020). Specify installing the certificate into the local certificate store.
If you are using a different enterprise CA or a public CA, follow the instructions provided by the CA.
Alternatively, use the procedure Create a self-signed, token-signing certificate.
On the federation server for which you obtained a new client authentication certificate in step 1, use the procedure Export the public key portion of a client authentication certificate to create a file that can be used as an FSP verification certificate.
Make the exported certificate file available to the Federation Service administrator who must add it to the trust policy.
Instruct the administrator to use the procedure Add a Federation Service Proxy certificate to the trust policy to the trust policy to add the exported certificate to the trust policy of the Federation Service that this federation server proxy is protecting.
On a federation server proxy, use the procedure Change the client authentication certificate that a federation server proxy uses to select the new certificate.
To remove the old FSP verification certificate from the Federation Service, inform the Federation Service administrator to use the procedure Remove a Federation Service Proxy (FSP) certificate from the trust policy.
Delete the old client authentication certificate from the certificate store. For information about how to delete a certificate from a certificate store, see Delete a certificate (https://go.microsoft.com/fwlink/?linkid=62715).