steps:
create new token signing cert on primary ADFS server by running…
Add-PSSnapin Microsoft.Adfs.Powershell
Update-ADFSCertificate -CertificateType Token-Signing (or Token-Decrypting)
(this creates a secondary certificate that should be auto-rolledover to when the primary certificate expires)
check ADFS settings with the powershell cmdlet Get-ADFSProperties
check value of AutoCertificateRollover property (should be true or false)

to update the office365 relying party data, run:
Connect-MSOLService
Update-MSOLFederatedDomain –DomainName:[federated domain] –supportmultipledomain (from azure active directory powershell module)

^note: if you receive “sorry, but we’re having trouble signing you in” and “error: 80041317” when trying to login to office365 this is a sure sign that the above command needs to be ran.

relying parties that utilize ADFS metadata will not need a copy of the new certificate, other relying parties will.

sources:
http://blogs.technet.com/b/sharepoint_made_easy/archive/2013/03/21/certificate-error-for-federated-domains-on-o365.aspx
http://support.microsoft.com/kb/2713898
http://support.microsoft.com/kb/2647048http://nikpatel.net/2014/12/22/renew-expired-adfs-token-certificates-for-adfs-2-0-and-sharepoint-2013-on-premises/

long over due update 9/11/2014:
the certificate rollover did not go as expected. the certificate rollover did not occur until 3 or so days after the original cert’s expiration date. this makes me feel like the auto rollover feature is unreliable.

disabling auto rollover:
Set-ADFSProperties -AutoCertificateRollover $false

if auto rollover is enabled you are unable to manually make the new certificate the primary
http://virtualizationtechno.blogspot.com/2014/02/set-as-primary-option-is-greyed-out-in.html

update 3/17/2015:
precise directions…
1. generate new token-signing cert
2. disable auto rollover
3. set new cert to primary
4. restart the adfs service on each system
5. get new metadata or cert to RPs
6. run Update-MSOLFederationDomain command for office365
7. reenable auto rollover

update 4/8/2015:
next year i’m going to update the token-decrypting certificate at the same time to hopefully avoid any possibility of a future ADFS issue. after changing out both certs i plan on restarting the ADFS services on both internal servers and then restarting the services on the proxies.

update 9/24/2015 (updating the service communications certificate):
import the new certificate through the usual means and then grant the ADFS service account read access to the certificate’s private key. then from the ADFS GUI use “set service communications certificate” and choose the new cert. it seems like that would be it, but it isn’t.

run Get-AdfsCertificate to get the thumbprints of the current certificates. Get-AdfsSslCertificate can be used as well but in my case it was reporting the thumbprint of the old cert. once the correct thumbprint is located run Set-AdfsSslCertificate -thumbprint [thumbprint]. at this point the new certificate is visible from a web browser, however, it’s recommended to restart the adfs services anyways.

on ADFS WAP systems use Get-WebApplicationProxySslCertificate and Set-WebApplicationProxySslCertificate and restart the services on the WAPs. some sources mention that this command must be ran as well: Get-WebApplicationProxyApplication -Name “[name]” | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint [thumbprint]
^confirmed that Set-WebApplicationProxyApplication must be ran. to retrieve the web application proxy application name run Get-WebApplicationProxyApplication | fl

sources:
http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx#pi47623=2
https://blogs.blackmarble.co.uk/blogs/adawson/post/2015/02/13/Changing-the-Certificate-on-ADFS-30-and-Web-Application-Proxy-(WAP).aspx
http://scug.be/sccm/2015/06/04/how-to-replace-expired-certificates-on-adfs-3-0-the-right-way/

update 8/12/2016:
a few months back i needed to add a new ADFS node to the farm and was blocked by the existence of an expired token-signing certificate. the error message displayed by the new node makes it seem like the certificate problem is with the new node; however, this is not the case as the issue is actually with your existing ADFS farm members. i couldn’t find a way to remove the certificate via the management GUI. when running Get-AdfsCertificate i could see the offending certificate listed and grab its thumbprint.

i then ran the following to remove the expired certificate:
Set-AdfsProperties -autocertificaterollover $falseRemove-AdfsCertificate -thumprint [thumprint] -certificatetype token-signing
Set-AdfsProperties -autocertificaterollover $true

and the expired certificate was removed. no down time was caused by this.

source: https://social.technet.microsoft.com/Forums/office/en-US/3e56f2bf-b885-4de0-bf88-5b50acbcfea5/adfs-joining-an-existing-federation-server-farm-error-cannot-find-certificate-i-do-not?forum=winserverDS

Comments are closed.