Certificate Rollover

For those of you that are still running Active Directory Federation Services 2.0 & your Token-decrypting and Token-signing certificates are about to expire ;if you have the  default settings , a new certificate is automatically generated 20 days before each certificate expires you can renew it 20 days before & you can do this manually .

Update-MsolFederatedDomain –domainname <domain name>

But Microsoft has a great script that can be run that will create a scheduled task running once a day that will switch them over automatically.


For those that are using Relying-party Trusts like Yammer ; you will need to export the public key portion of a token-signing certificate ; attaching it to a service request & this should be done no less than 14 days before the switch over date.  I heard this process may change & will keep you updated.  But the exporting process is listed below:

To export the public key portion of a token-signing certificate

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. Right-click Federation Service, and then click Properties.
  3. On the General tab, under Token-signing certificate, click View.
  4. In the Certificate dialog box, click the Details tab.
  5. On the Details tab, click Copy to File.
  6. On the Welcome to the Certificate Export Wizard page, click Next.
  7. On the Export Private Key page, make sure that No, do not export the private key is selected, and then click Next.
  8. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.
  9. On the File to Export page, specify the certificate file in File name, and then click Next.