locked
ADFS - Replacing Token-Signing Cert - Impact on Relying party RRS feed

  • Question

  • My Token-Signing cert is about to expire on our ADFS 2.0 farm. I'm replacing this with a Verisign cert and sending an export to all our relying parties.

    My question is -

    If I add the new cert as a secondary, will the relying party be able to use this cert from that moment on - or - will they only be able to use this cert once I promote it as the primary? Will they all still be able to use the old cert (before it expires) if I demote to a secondary?

    I'm concerned as our relying parties are dipersed around the globe and co-ordinating a specific time for them all to change would be next to impossible.

    Thanks
    Wednesday, September 26, 2012 3:06 AM

Answers

  • Thanks for the reply Dominick. I got the answer below from Microsoft today - It concurs with yours.

    ********************************************

    First add the new token signing certificate as a secondary. This will add the certificate as a verification certificate and any RPs that are automatically grabbing the federation metadata will then add the new verification certificate to the RP's configuration. For other RPs, they will need to manually add (not replace) the new certificate thumbprint as a verification certificate. The RPs will then be able to verify a signature using either the old or the new certificate. It is important that all RPs have this new certificate added to their configuration before continuing. At this point ADFS will continue to sign tokens using the original (i.e. primary) token signing certificate.

    Then designate the new token signing certificate as the primary. At that point ADFS will start to sign tokens using the private key of the new certificate and as all RPs can now verify the signature based on this certificate, the new tokens are trusted.

    Third step is for the old token signing certificate (which is now a secondary) to be deleted from ADFS and all RPs to remove the certificate from their configuration (with automatically or manually). This can happen when convenient as there is no longer a dependency on this old certificate.

    • Marked as answer by StuBow75 Thursday, September 27, 2012 12:54 AM
    Thursday, September 27, 2012 12:54 AM

All replies

  • Typcially (with WIF default settings) you don't need to distibute the certificate. You only need to add the new certificate's thumbprint to the relying parties list of accepted issuers (there can be more than one). 

    Once they have all updated their config - you should be able to simply switch the signing cert at ADFS.


    Dominick Baier | thinktecture | | @leastprivilege http://www.leastprivilege.com

    Wednesday, September 26, 2012 6:30 AM
  • Thanks for the reply Dominick. I got the answer below from Microsoft today - It concurs with yours.

    ********************************************

    First add the new token signing certificate as a secondary. This will add the certificate as a verification certificate and any RPs that are automatically grabbing the federation metadata will then add the new verification certificate to the RP's configuration. For other RPs, they will need to manually add (not replace) the new certificate thumbprint as a verification certificate. The RPs will then be able to verify a signature using either the old or the new certificate. It is important that all RPs have this new certificate added to their configuration before continuing. At this point ADFS will continue to sign tokens using the original (i.e. primary) token signing certificate.

    Then designate the new token signing certificate as the primary. At that point ADFS will start to sign tokens using the private key of the new certificate and as all RPs can now verify the signature based on this certificate, the new tokens are trusted.

    Third step is for the old token signing certificate (which is now a secondary) to be deleted from ADFS and all RPs to remove the certificate from their configuration (with automatically or manually). This can happen when convenient as there is no longer a dependency on this old certificate.

    • Marked as answer by StuBow75 Thursday, September 27, 2012 12:54 AM
    Thursday, September 27, 2012 12:54 AM