Anavem
EnglishFrancais
Anavem
Languagefr
How to Replace SSL Certificate on ADFS Server (Windows Server 2025)

How to Replace SSL Certificate on ADFS Server (Windows Server 2025)

Replace SSL/TLS certificates on Active Directory Federation Services servers and Web Application Proxy to maintain secure authentication. Complete guide with PowerShell commands and verification steps.

Evan MaelEvan Mael
March 18, 2026 15 min
mediumadfs 8 steps 15 min

Why Replace SSL Certificates on ADFS Servers?

Active Directory Federation Services (ADFS) relies heavily on SSL/TLS certificates to secure authentication communications between users, applications, and identity providers. With certificate lifespans now limited to 398 days due to browser security policies, regular certificate replacement has become a critical maintenance task for IT administrators.

ADFS environments typically consist of multiple components that require certificate updates: the primary ADFS server, secondary farm members, and Web Application Proxy (WAP) servers. Each component must be updated individually, though Windows Server 2016 and later versions include automatic farm propagation features that simplify the process.

What Happens During ADFS SSL Certificate Replacement?

The certificate replacement process involves importing the new certificate with its private key to all servers, configuring proper permissions for the ADFS service account, and updating both the SSL bindings and service communications certificates. Modern ADFS deployments benefit from PowerShell cmdlets like Set-AdfsSslCertificate that handle farm-wide propagation automatically.

This tutorial covers the complete process for Windows Server 2025 environments, including verification steps and troubleshooting common issues. You'll learn to update certificates across ADFS farms and WAP servers while maintaining service availability and security compliance.

Implementation Guide

Full Procedure

01

Import the New SSL Certificate to All Servers

Start by importing your new SSL certificate with private key to the Local Machine Personal certificate store on every ADFS and WAP server in your farm.

Open the Microsoft Management Console on each server:

mmc.exe

Add the Certificates snap-in: File > Add/Remove Snap-ins > Certificates > Add > Computer account > Local computer > Finish > OK.

Navigate to Certificates (Local Computer) > Personal > Certificates. Right-click in the empty space and select All Tasks > Import. Follow the Certificate Import Wizard:

  • Select your certificate file (.pfx or .p12)
  • Enter the private key password
  • Choose "Local Machine" as the store location
  • Select "Personal" as the certificate store
Pro tip: Use the same certificate file on all servers to ensure consistency. Export from one server if you installed it there first.

Verify the import by checking the certificate appears in the Personal store with a key icon indicating the private key is present.

# Verify certificate import via PowerShell
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*your-domain.com*"}
02

Configure Private Key Permissions for ADFS Service Account

The ADFS service account needs read access to the private key of your new certificate. This is critical for the service to use the certificate.

In the Certificates MMC, right-click your new certificate and select All Tasks > Manage Private Keys. Click Add to open the user selection dialog.

For Group Managed Service Accounts (gMSA), click Object Types and check "Service Accounts". Enter your ADFS service account name (typically ends with $):

DOMAIN\ADFS-Service$

Grant the following permissions:

  • Read
  • Full Control (recommended for troubleshooting)

Click OK to apply the permissions.

Warning: Without proper private key permissions, ADFS will fail to bind the certificate and authentication will break.

Verify permissions using PowerShell:

# Check certificate private key permissions
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq "YOUR_CERT_THUMBPRINT"}
$cert.PrivateKey
03

Update Service Communications Certificate (Optional)

Before updating the SSL certificate, you may want to update the Service Communications certificate through the ADFS Management console. This step is optional but recommended for consistency.

Open ADFS Management from Server Manager > Tools > AD FS Management. Navigate to Service > Certificates in the left panel.

Right-click on "Service Communications" and select "Set Service Communications Certificate". Choose your new certificate from the list and click OK.

# Alternative: Update via PowerShell
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint "YOUR_CERT_THUMBPRINT"

This updates the certificate used for service-to-service communications within the ADFS farm.

Pro tip: The Service Communications certificate and SSL certificate can be the same certificate for simplicity.

Verify the update:

Get-AdfsCertificate -CertificateType Service-Communications
04

Get the New Certificate Thumbprint

You need the exact thumbprint of your new certificate to configure it as the SSL certificate. The thumbprint is a unique identifier for the certificate.

Retrieve the current SSL certificate information and note the thumbprint format:

Get-AdfsSslCertificate

Find your new certificate's thumbprint:

# List all certificates in Personal store with thumbprints
Get-ChildItem -Path Cert:\LocalMachine\My | Select-Object Subject, Thumbprint, NotAfter | Format-Table -AutoSize

Copy the thumbprint of your new certificate. Make sure to remove any spaces or hidden characters:

# Get specific certificate thumbprint
$newCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*your-domain.com*" -and $_.NotAfter -gt (Get-Date)}
$thumbprint = $newCert.Thumbprint
Write-Host "Certificate Thumbprint: $thumbprint"
Warning: Ensure you copy the thumbprint without spaces. Hidden characters can cause the Set-AdfsSslCertificate command to fail.

Verify the thumbprint is correct by checking the certificate details in the MMC console.

05

Update SSL Certificate on Primary ADFS Server

Run the SSL certificate update command on the primary ADFS server. Since Windows Server 2016, this command automatically propagates the change to all servers in the farm.

Execute the following command on the primary ADFS server:

# Replace YOUR_CERT_THUMBPRINT with your actual thumbprint
Set-AdfsSslCertificate -Thumbprint "YOUR_CERT_THUMBPRINT"

The command should complete without errors. If successful, you'll see a confirmation message.

Restart the ADFS service to ensure the new certificate is properly loaded:

Restart-Service adfssrv

Wait for the service to fully restart before proceeding:

# Check service status
Get-Service adfssrv
Pro tip: The Set-AdfsSslCertificate cmdlet handles farm-wide propagation automatically on Server 2016+, but you may need to restart the service on secondary nodes manually.

Verify the SSL certificate update:

Get-AdfsSslCertificate
06

Update SSL Certificate on Web Application Proxy Servers

Web Application Proxy servers require separate certificate updates. Import the certificate to each WAP server first, then update the configuration.

On each WAP server, set the new SSL certificate:

# Update WAP SSL certificate
Set-WebApplicationProxySslCertificate -Thumbprint "YOUR_CERT_THUMBPRINT"

If the above command fails, you may need to reconfigure the WAP with the new certificate:

# Get ADFS farm credentials
$cred = Get-Credential

# Reinstall WAP with new certificate
Install-WebApplicationProxy -FederationServiceName "adfs.yourdomain.com" -FederationServiceTrustCredential $cred -CertificateThumbprint "YOUR_CERT_THUMBPRINT"

Update the IIS binding manually on each WAP server. Open IIS Manager, navigate to Sites > Default Web Site, and click Bindings. Edit the HTTPS binding (port 443) and select your new certificate.

Warning: WAP servers don't automatically inherit SSL certificate changes from ADFS. You must update each WAP server individually.

Verify the WAP configuration:

Get-WebApplicationProxySslCertificate
07

Restart Services on Secondary ADFS Servers

While the Set-AdfsSslCertificate command propagates to all farm members, you should restart the ADFS service on secondary servers to ensure they pick up the new certificate binding.

On each secondary ADFS server, restart the service:

Restart-Service adfssrv

Monitor the service restart:

# Wait for service to start
do {
    Start-Sleep -Seconds 5
    $service = Get-Service adfssrv
    Write-Host "Service Status: $($service.Status)"
} while ($service.Status -ne "Running")

Check the Windows Event Log for any certificate-related errors:

# Check ADFS Admin event log for errors
Get-WinEvent -LogName "AD FS/Admin" -MaxEvents 10 | Where-Object {$_.LevelDisplayName -eq "Error"}
Pro tip: Use Microsoft Entra Connect (formerly Azure AD Connect) for automated farm-wide certificate updates if you have it installed.

Verify each server is using the new certificate:

Get-AdfsSslCertificate | Select-Object PortNumber, CertificateHash
08

Test and Verify SSL Certificate Functionality

Perform comprehensive testing to ensure the new SSL certificate is working correctly across all ADFS endpoints and services.

Test the ADFS sign-in page in a web browser:

https://adfs.yourdomain.com/adfs/ls/IdpInitiatedSignOn.aspx

Verify there are no certificate warnings or errors. The browser should show a valid SSL connection with your new certificate.

Test from PowerShell using Invoke-WebRequest:

# Test ADFS metadata endpoint
$response = Invoke-WebRequest -Uri "https://adfs.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml" -UseBasicParsing
Write-Host "Status Code: $($response.StatusCode)"

Check certificate details programmatically:

# Verify certificate via HTTPS connection
$request = [System.Net.WebRequest]::Create("https://adfs.yourdomain.com")
$request.GetResponse().Close()
$cert = $request.ServicePoint.Certificate
Write-Host "Certificate Subject: $($cert.Subject)"
Write-Host "Certificate Expiry: $($cert.GetExpirationDateString())"

Test authentication with a test user account to ensure the authentication flow works end-to-end.

Pro tip: Use SSL Labs' SSL Test (ssllabs.com/ssltest) to verify your certificate configuration and security rating.

Monitor ADFS event logs for the next 24 hours to catch any delayed issues:

Get-WinEvent -LogName "AD FS/Admin" -MaxEvents 50 | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-1)}

Frequently Asked Questions

How often should I replace SSL certificates on ADFS servers?+
SSL certificates should be replaced before expiration, typically every 12-13 months due to the 398-day maximum validity period imposed by browser security policies since 2020. Plan certificate replacement at least 30 days before expiration to allow for testing and rollback if needed. Many organizations automate this process using certificate management tools or Microsoft Entra Connect for streamlined updates across ADFS farms.
What happens if I don't update WAP servers separately from ADFS servers?+
Web Application Proxy servers do not automatically inherit SSL certificate changes from ADFS servers. If you update only the ADFS farm without updating WAP servers, external users accessing ADFS through the proxy will encounter certificate errors and authentication failures. Each WAP server must be updated individually using Set-WebApplicationProxySslCertificate or by reconfiguring the proxy with the new certificate thumbprint.
Can I use the same certificate for both Service Communications and SSL binding?+
Yes, you can use the same certificate for both Service Communications and SSL binding in ADFS. This approach simplifies certificate management and is commonly used in smaller deployments. The certificate must meet all ADFS requirements including proper Subject Alternative Names for all federation endpoints. Larger organizations may prefer separate certificates for security isolation and certificate lifecycle management.
Why does Set-AdfsSslCertificate fail with 'certificate not found' error?+
This error typically occurs when the certificate is not properly imported to the Local Machine Personal store, lacks a private key, or the thumbprint contains spaces or hidden characters. Ensure the certificate is imported with its private key to Cert:\LocalMachine\My on all farm servers, and copy the thumbprint directly from PowerShell output using Get-ChildItem rather than from the MMC console to avoid formatting issues.
How do I verify that all ADFS farm servers are using the new certificate?+
Run Get-AdfsSslCertificate on the primary ADFS server to verify the certificate hash matches your new certificate's thumbprint. Test HTTPS connectivity to each server individually using Invoke-WebRequest or browser testing. Check Windows Event Logs on all servers for certificate binding errors in the AD FS/Admin log. For comprehensive verification, test authentication flows and monitor for 24 hours after the change to catch any delayed issues.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#adfs#ssl-certificate#windows-server

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Network Locations via Group Policy in Windows Server 2025
tutorial
Networking

How to Deploy Network Locations via Group Policy in Windows Server 2025

Deep Dive
How to Configure Default Inbound Action for Public Profile in Windows Defender
tutorial
Cybersecurity

How to Configure Default Inbound Action for Public Profile in Windows Defender

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account