AD FS 2.0: How to Enable and Immediately Use AutoCertificateRollover

Summary

When the GUI Initial Configuration Wizard (ICW) of AD FS 2.0 has been executed, AutoCertificateRollover is automatically enabled by default and the token-signing and token-decrypting certificates are self-signed and maintained by the AD FS 2.0 service.

When the command line ICW of AD FS 2.0 has been executed, AutoCertificateRollover is either on or off depending on the syntax you provided at the command line.

You can optionally turn off AutoCertificateRollover post-ICW by running the following from PowerShell:

Add-PSSnapin Microsoft.Adfs.Powershell

Set-ADFSProperties -AutoCertificateRollover $false

If you have turned off AutoCertificateRollover in the past and you want to turn it back on, there are a few things you need to consider:

- Simply turning AutoCertificateRollover back on via PowerShell will not immediately cause the self-signed certificates to be generated
- The self-signed certificates will only be generated once the critical threshold (close to expiration) of your existing certificates has been met
- There is a way to immediately cause the self-signed certificates to be generated, but this will cause service outage with your partners until they have refreshed from your federation metadata. We recommend causing the certificate generation after hours to avoid an outage. Alternatively, you could work closely with your partners to ensure that they are ready to immediately update via federation metadata (causing a short outage).

If you decide to let the existing certificates hit the critical threshold instead of invoking the certificate generation process, then you only need to re-enable AutoCertificateRollover.

If you decide that you want to immediately generate new self-signed certificates, then you need to first re-enable AutoCertificateRollover and then issue a PowerShell command to invoke immediate certificate generation.

PowerShell command to re-enable AutoCertificateRollover: