- Obtain a new Token Signing Certificate.
- Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature".
- Subject or Subject Alternative Name (SAN) does not have any restrictions.
- Please remember that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.
- Install the certificate in the local certificate store on each Federation Server.
- Ensure that the certificate installation file has the Private Key of the certificate on each server.
- Ensure that the Federation Service Account has access to the new certificate's private key.
- Add the new certificate to AD FS.
- Launch AD FS Management from the Administrative Tools menu.
- Expand Service and select Certificates
- In the Actions pane, click Add Token-Signing Certificate...
- You will be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.
- Select your new Token-Signing certificate and click OK
- Inform all the Relying Parties about the change in Token Signing Certificate.
- Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.
- Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.
- Set the new Token-Signing Certificate as Primary.
- With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.
- Select your new Token-Signing certificate, right-click, and select Set as primary
- Leave the old certificate as secondary for roll over purposes. You should plan to remove the old certificate once you are confident it is no longer needed for roll over, or when the certificate has expired. Please remember that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate.
Number of approvals specifies how many certificate managers must approve a duplicate request before the request can be completed. ...
Number of approvals specifies the number of certificate managers who must approve a retire request before the request can ...
Number of approvals specifies the number of certificate managers who must approve an enroll request before the request can ...
Number of secrets by secret provider {0} and number of passwords to distribute {1} is not the same in a policy for profile ...
Obtain a new Token Signing Certificate. Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature". Subject or ...
Offline unblock policy error on profile template {0}. Offline unblock policy should be disabled for PK11 smart card or software ...
On your mobile device, approve identity verification request {0} . If you don't see a request to approve, open the Microsoft ...
On your trusted devices, you don't have to enter a security code to access sensitive info (such as your credit card details). ...
Onboarding to Azure AD Identity Governance currently requires users to be in the Global Administrator role. Contact your ...