question

AamirMasthan-9388 avatar image
0 Votes"
AamirMasthan-9388 asked ·

ADFS certficate export

Hello team

we need to export ADFS token signing and token decrypting certificate with private key

but when we do it export /copy do not get option to export keys

Please advise

adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered ·

Hello -

Do you mean the self-signed certificates which are automatically generated? Why would you export them?
You don't need them when you upgrade the farm as you upgrade by adding new nodes to an existing farm.
They are in the backup when you use ADFS Rapid Restore and got restored with the same tool.
You don't need them to create a trust neither with an IDP nor an SP.

So I am curious :)

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AamirMasthan-9388 avatar image
0 Votes"
AamirMasthan-9388 answered ·

Hello Piaudonn,

Yes the self signed certficates which are auto rollover.

there is a reason for exporting it, please let me if it is possible?

Thanks

Aamir Masthan

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There are no supported ways to export them.
What is the reason then? If that is a good enough reason, the lack of exportability might be addressed.

0 Votes 0 ·
AamirMasthan-9388 avatar image
0 Votes"
AamirMasthan-9388 answered ·

we are building the test environment with the same ADFS farm, by taking vm snapshot

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered ·

The test environment could have a different cert then, if it has a different name, a different AD etc... And if that's the same "cloned" AD environment then just the snapshot you do will have the cert in it (although that's also not a supported way to backup/restore ADFS, recommendation for backup/restore is to use the Rapid Restore tool).
Anyhow, I am afraid that doesn't seem to be a good reason. Besides, test environments are also usually not secured the same way as the production environments (more admins, no restrictions, no monitoring, etc...). So putting the actual keys in dev would considerably decrease your overall security posture.
If the intent of the test environment is to create test relying party trusts (for example to check claim rules or access policies), you can do create a test RP with the Claim X-Ray.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AamirMasthan-9388 avatar image
0 Votes"
AamirMasthan-9388 answered ·

Hello

let me explain more in detail

we have ADFS servers in two data-center A & B on different region which load balanced with GTM.

we are planning to re-build the ADFS servers on one region.

DB server will get replicated from B , once we rebuild A.

however the challenge is the certificate for ADFS servers on region A.

Please advise

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I don't see how exporting the certificate would help.

Where do you rebuild the server A? In a new environment? In a new AD forest?

0 Votes 0 ·