question

hurryhao avatar image
0 Votes"
hurryhao asked hurryhao edited

exchange 2016 adfs Certificate validity issue


https://docs.microsoft.com/zh-cn/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2016#step-1-review-the-certificate-requirements-for-ad-fs

Refer to the above link and see that exchange needs to import adfs self-signed certificate, the default validity period is 30 days.

Set the validity period time command as Set-AdfsProperties -CertificateDuration <Days>

  1. What is the maximum value that can be set?

  2. If I have multiple adfs, do I need to import a certificate that trusts each adfs on the exchange?

  3. If I import the trusted adfs certificate first, and then use the above command to update the validity time of the certificate, do I need to re-import and trust it on the exchange?

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered hurryhao edited

The default validity time for the self-signed Token Signing Certificate is 365 days (not 30).

  1. I am not sure of the maximum value. I have seen customers with 3 years (that's the longest I have seen being used, but it is not the longest accepted value)

  2. The Token Signing Certificate (the cert required to create the trust) is a farm certificate. It is the same pair of keys on every nodes.

  3. The command is taking effect only for the next certificate generation cycle.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your answer

 PS C:\Users\administrator.TESTYUNWEI> Set-AdfsProperties -CertificateDuration 3650
 PS C:\Users\administrator.TESTYUNWEI> get-AdfsProperties |fl CertificateDuration
    
 CertificateDuration : 3650

I set the certificate time
But my certificate Token Encryption Certificate 、 Service Communication Certificate The end time has not changed
There is no automatic replacement of the new certificate
How can I replace the certificate with a new certificate after the time I set

93481-image.png

93320-image.png


0 Votes 0 ·
image.png (6.1 KiB)
image.png (6.8 KiB)