# Changing the Certificate ADFS ### Problem I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one. I found a number of ways of doing this **INCORRECTLY**, so hopefully I will save you making the same mistakes! ### Solution Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import by double clicking the certificate, then export the certificate, include the private key, and set a password on it). I’ve done this in lots of different articles just use the search bar above it you get stuck. To import the certificate, open an [**administrative command window**](https://www.petenetlive.com/KB/Article/0000988) and execute the following command; ``` certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE {supply the pfx password} ``` ![](/files/-M_p-Iuogem2gbHkGzec) Open an [**administrative PowerShell Window**](https://www.petenetlive.com/KB/Article/0000988) and execute the following command; ``` Set-ADFSProperties -AutoCertificateRollover $false ``` ![](/files/-M_p-KvejKgZqBuByQUd) Make sure your certificate has a small key over the icon, or says ‘*you have a private key that corresponds to this certificate*‘. If yours does not, then import it on the server/PC you created the CSR (Certificate Signing Request) on, then export it to PFX, them import it using the command above on your ADFS server. ![](/files/-M_p-OmwV20OkjsLGjra) On your certificate > All Tasks > Manage Private Keys. ![](/files/-M_p-SaoH6fhKkm-W1kH) Add > Object Types > Select Service Accounts > Locate and select your ADFS service account. Grant **full control**. ![](/files/-M_p-VrOEKBHVWtvoVGK) Launch the AD FS management console > Service > Certificates > Set Service Communication Certificate. ![](/files/-M_p-Z-FvW-IWHIe3eMg) Select the correct (new) certificate > OK. ![](/files/-M_p-bLKt5bUsjYvYPan) On the properties of your new certificate locate the thumbprint (not the serial number!) Copy it to the clipboard, then execute the following command; ``` Set-AdfsSslCertificate -Thumbprint {Paste in the thumbprint - minus the spaces!} ``` **Note**: **BEWARE**: If you press tab to complete the above command make sure you **DON’T** use *Set-AdfsCertificate* it’s ***Set-AdfsSslCertificate*** (it will accept the wrong command, without error, and then wont work at the end). ![](/files/-M_p-hGlezFFhZLte8dD) Then to finish off; ``` Set-ADFSProperties -AutoCertificateRollover $true Restart-Service ADFSSRV ``` ![](/files/-M_p-liXkABjBYozngto) ### ### Changing ADFS Certificates: Things That Might Go Wrong ![](/files/-M_p-puV7d-S2eC40W5X) > The ServiceCommunications primary certificate cannot be used because the KeySpec must have a value of AT\_KEYEXCHANGE (1).\ > This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command “certutil -importpfx filename.pfx AT\_KEYEXCHANGE”. For more information, see You will also see an Event ID 550 ![](/files/-M_p-tzZQ88w4rhYkFu9) **Solution**: Import the certificate using the ‘*certutil -importpfx certificate-name.pfx AT\_KEYEXCHANGE*‘ syntax. Error ![](/files/-M_p-xd39RBQ13Erbf0n) **Solution**: Disable certificate rollover with ‘*Set-ADFSProperties -AutoCertificateRollover $false*‘ syntax. (**Note**: Dont forget to enable it again afterwards!) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mabna-cloud.gitbook.io/mabnatechtips/changing-the-certificate-adfs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.