ADFS

Determine when the current certificates expire

5th April 2020 /

We can use the following procedure to identify the primary token signing and token decryption certificates and to determine when the current certificates expire.

We can run the following Windows PowerShell command:

Get-AdfsCertificate –CertificateType token-signing (or Get-AdfsCertificate –CertificateType token-decrypting

Or you can examine the current certificates in the MMC: Service->Certificates.

Get-ADFSCertificate

The certificate for which the IsPrimary value is set to True is the certificate that AD FS is currently using.

The date shown for the Not After is the date by which a new primary token signing or decrypting certificate must be configured.

To ensure service continuity, all federation partners (represented in your AD FS farm by either relying party trusts or claims provider trusts) must consume the new token signing and token decryption certificates prior to this expiration. Microsoft recommend that to plan this process at least 60 days in advance.

Ref: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs

Leave a Reply

Your email address will not be published. Required fields are marked *