ADFS Certificates explained

In this blog we will talk about ADFS certificates. We will talk about ADFS service communication certificate, ADFS token-signing certificate, we will talk about ADFS token-decrypting certificate, we will learn how to renew token-signing and token-decrypting certificates in ADFS server, and we will talk about auto certificate rollover in ADFS server.

Watch video

Join our YouTube channel for latest and updated videos on Cloud technology and watch this video on ADFS Certificates.

ADFS Certificates explained

If we talk about certificates in ADFS server, you will come across 3 certificates:
Service Communications Certificate
Token-Decrypting Certificate
Token-Signing Certificate.

ADFS Service Communication Certificate

When you install ADFS server, you use an SSL certificate. This certificate is used for a secured communication between ADFS server and the application. Because the information of your ADFS server is shared with the application in the form of a security token, this communication channel has to be a secured and encrypted.

  1. ADFS Service Communication Certificate is used to secure the communication between ADFS server and the application.
  2. Service Communication Certificate is used to secure the endpoints of ADFS server.
View ADFS Service Communication Certificate in ADFS Management console

To view Service Communication Certificate in ADFS server, go to ADFS Management console, expand Services, and click Certificates.

adfs service communication certificate

To view details of Service Communication Certificate, double click on certificate.

service communication certificate details
View ADFS Service Communication Certificate using PowerShell

To view ADFS Service Communication Certificate using PowerShell, run below command in Windows PowerShell on ADFS server.

Get-AdfsCertificate -CertificateType "Service-Communications"
ADFS Service Communication Certificate key points
  1. For production environment you should always use an SSL certificate issued by 3rd party certificate provider. But if you are deploying a test lab, you can use certificate issued by internal certification authority.
  2. The subject name of the certificate must match the Federation Service Identifier of your ADFS server.
  3. You can use either Wildcard certificate or a SAN certificate. Both type of certificates are supported.
  4. Same certificate can be used on all the ADFS servers and proxy servers.

ADFS Token-Signing Certificate

ADFS token-signing certificate contains the private keys and the public keys. When ADFS server issues a token to the application, it uses the private key of token-signing certificate to digitally sign the token. When application receives this token, it uses the public key of the token-signing certificate to validate the token. By doing this, the application ensures that the token that was issued by the ADFS server is authentic and it wasn’t modified.

View ADFS token-signing certificate in ADFS Management console

To view token-signing certificate in ADFS server, go to ADFS Management console, expand Services, and click Certificates.

adfs token signing certificate
View ADFS token-signing certificate using PowerShell

To view token-signing certificate in ADFS server using PowerShell, run below command in Windows PowerShell on ADFS server.

Get-AdfsCertificate -CertificateType "Token-Signing"
ADFS token-signing certificate key points
  1. Token-signing certificate is used to digitally sign the tokens those are issued by the ADFS server to the application.
  2. Token-signing certificate is created by default as a self-signed certificate. But you can also use certificate issued by 3rd party or from internal certification authority.

ADFS token-decrypting certificate

Token-Decrypting certificate is used by the claim provider to encrypt the token using its public key. And ADFS server uses the private key of this certificate to decrypt the token to validate claims issued by the claims provider.

View ADFS token-decrypting certificate in ADFS Management console

To view token-decrypting certificate in ADFS server, go to ADFS Management console, expand Services, and click Certificates.

adfs token decrypting certificate
View ADFS token-decrypting certificate using PowerShell

To view token-decrypting certificate in ADFS server using PowerShell, run below command in Windows PowerShell on ADFS server.

Get-AdfsCertificate -CertificateType "Token-Encryption"
ADFS token-decrypting certificate key points
  1. Token-Decrypting certificate is used by the claim provider to encrypt the token using its public key. And ADFS server uses the private key of this certificate to decrypt the token.
  2. Token-decrypting certificate is created as a self-signed certificate by default.

ADFS Auto Certificate Rollover

By default token-signing and token-decrypting certificates are valid for one year. This is default value. But this value can changed by using PowerShell command Set-AdfsProperties.

Every year, these certificates are renewed either automatically or manually. ADFS Auto Certificate Rollover is a feature of ADFS server that automatically renews token-signing and token-decrypting certificates.

Important: ADFS Auto Certificate Rollover is applicable only for token-signing and token-decrypting certificates. This feature does not renew Service Communication Certificate.

Verify Auto Certificate Rollover is enabled

To verify if auto certificate rollover is enabled on ADFS server, run below command in Windows PowerShell on ADFS server.

Get-AdfsProperties | fl *AutoCertificateRollover*
verify auto certificate rollover

By default this value is set to true. That means token-signing and token-decrypting certificates will be renewed automatically. If this value is set to false, in that case you need to renew these certificates manually.

Auto Certificate Rollover properties

If you run Get-AdfsProperties | fl certificate you will see these properties. So Let’s discuss these properties one by one.

auto certificate rollover properties

Auto Certificate Rollover: This value is set to True by default. That indicates that token-signing and token-decrypting certificate will be renewed automatically. If this value is set to false, in that case you need to renew certificates manually.

Certificate Duration: This value defines the validity of the certificate. By default this value is set to 365 days. If you want to change this value, you can run Set-ADFSProperties -CertificateDuration command on ADFS server.

Certificate Generation Threshold: This value defines the number of days before the expiration date of the current certificate that ADFS should generate the new certificate. For example, if this value is set to 10, that means ADFS will automatically generate a new certificate before 10 days of the current certificate expiration date.

Certificate Promotion Threshold: When ADFS generates the new certificates, they are initially set as secondary certificates. ADFS uses the value of this property to determine, after how many days of generating the new certificate it should be promoted as a primary certificate.

Certificate Critical Threshold: By any chance if new certificate was not promoted to the primary certificate as per the value defined in CertificatePromotionThreshold, then before how many days of current certificate expiration new certificate should be promoted to primary certificate.

Certificate Rollover Interval: This value is in minutes. If this value is set to 20 minutes, then every 20 minutes a check will run on ADFS server that if certificates are going to expire or not.

Certificate Sharing Container: This property shows the location where the token-signing and token-decrypting certificates are stored.

Note: If you want to modify any one of these properties, you can use Set-ADFSProperties command.

Conclusion

In this blog we learnt what are ADFS certificates and we learnt what is ADFS auto certificate rollover.

Found this article helpful and informative, please share this article within your community, join our YouTube channel for latest videos on Cloud technology and join our Newsletter for early access to our blogs.

We welcome you to browse our other articles on ADFS (Active Directory Federation Services):
What is ADFS
What is federation trust in ADFS
ADFS deployment types
How to install ADFS on Windows Server 2016
ADFS claims based architecture
Set up ADFS for Microsoft 365 for Single Sign-On
ADFS endpoints explained
What is ADFS relying party trust, ADFS Claim Rules
ADFS Authentication Flow
What is ADFS Federation Metadata
What is ADFS Claims Provider Trust

Happy Learning!!