Thursday, February 5, 2015

Change Certificate on Windows Server 2012 R2 Web Application Proxy

With ADFS 3.0 and Web Application Proxy the installation of IIS is not required and necessary. The binding for certificates on the ADFS and WAP service can be done with PowerShell. In this example the same certificate will be used for ADFS and all WAP applications.
The desired certificate must have been installed into the local machines certificate store and the hash value of the certificate will be used to reference the certificate. To list all available certificates run:

dir Cert:\LocalMachine\My

example:

Thumbprint                                Subject
----------                                -------
9450B39AAAE6F203DD68AC1EA1D8D46A8C581E41  CN=certold.mydomain.com
921461C2FF106D4A50A6F3574D1CC25A7D4451B9  CN=certnew.mydomain.com

Now run the PowerShell commands to bind the new certificate:

get-WebApplicationProxyApplication DRS | set-WebApplicationProxyApplication -ExternalCertificateThumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9
get-WebApplicationProxyApplication Workfolders | set-WebApplicationProxyApplication -ExternalCertificateThumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9
Set-WebApplicationProxySslCertificate -Thumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9

Now restart the ADFS service

stop-service "Active Directory Federation Services"
start-service "Active Directory Federation Services"


For verification  you can run these commands and verify that the new hash is active:

get-WebApplicationProxyApplication DRS
get-WebApplicationProxyApplication Workfolders
get-WebApplicationProxySslCertificate


or 

netsh http show ssl

No comments: