This article explains types of certificates present in ADFS server and the steps to renew the SSL service communication certificate from ADFS server.
Basically there are 3 types of certificate required for ADFS certificate-
- Service Communication certificate – This certificate will be used for the secure communications between the web clients(web clients,federated servers,web application proxy and federated server proxy).The service communication certificate will be issued to the end users when they are redirected to the ADFS page by the application. Its always recommended to have a public SSL for this service communication certificate because it needs to be presented to the end users when redirected to ADFS page.
- Signing Certificates- Signing certificates will be used to sign the SAML token.When signed all the data within the token will be readable in clear-text but when the consumer receives the token it knows that the token has not be tampered from the source. If it finds them to be tampered then it will not accept.Token Signing Can be done only with private portion which only the ADFS server will be having.
This is the certificate used to sign only the SAML tokens.Token validation will be done with public portion of this certificate which will be available in the ADFS metadata. ADFS certificates will have one default self signed signing certificate which has validity of 1 year and this can be extended. Or we can generate one from internal CA and assign them.
- Token Decryption Certificate- This certificate will be used when the application will be sending the encrypted tokens to the ADFS server.With this it will not sign the token but only encrypt the token. The application will encrypt the token by using the public part of the token decryption certificate. The ADFS server only will be having the private part of the key which it will be using to decrypt the token. ADFS certificates will have one default self signed token decryption certificate which has validity of 1 year and this can be extended. Or we can generate one from internal CA and assign them.
We can see the public certificate from the published ADFS metadata.
Access the metadata url in browser. look for X509 that has values that ends with “=” sign.It’s base64 encoded so it will normally end with an “=” sign.
We can see multiple x509 values. The public certificate is base64 encoded so it will normally end with an “=” sign at the end like example below.
Once after we save them in .crt format we can see the public certificate which will be present in the ADFS metadata URL. So by using this the application will encrypt the token and send them to ADFS server. The ADFS server in turn can decry-pt this by using this certificate private key. This certificate private key will be present only with the ADFS server.Just in case if this private key is compromised then anybody can impersonate as your ADFS server
We can more or less verify the encryption on our own to get a better understanding of how it works.
When we do a SAML-trace in Firefox developer edition against a Relying Party we have with ADFS when we check the SAML-token, we will see that the saml:p response to the integrated service provider will be encrypted.
Below steps can be followed to renew the communication certificate
- Generate CSR from ADFS server. This can be done via IIS.
- Get the certificate issued from the public CA Portal.
- Once certificate is issued, add new certificate in Certificate store.
- Verify Private Key on the certificate. Make sure new certificate has the private key.
- Assign Permissions to the Private Key for ADFS service account. Right click on the certificate, click manage private keys, add ADFS service account and assign permissions as shown in below screenshot.
6. From ADFS console select “Set Service Communication Certificate”
7.Select new certificate from prompted list of certificates.
To renew the SSL certificate for ADFS claims providers federation metadata URL can follow the previous article – https://exchangequery.com/2018/01/25/renew-ssl-certificate-for-adfs-url/