RDP to your ADFS internal primary server

Import the new certificate to the Machine’s Personal Store

Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key,

Assign the proper permissions to the Private Key for the ADFS Managed Service Account

Now switch to AD FS management, drill down to Certificates and select “Set Service Communication Certificate”

You will be prompted for the required certificate. If you don’t see the new certificate in the list of available certificates – it means you either don’t have the private key that corresponds to this certificate OR you didn’t import the cert correctly.

Get the thumbprint of the replacement SSL cert.

Copy it to notepad and remove the spaces.

Open powershell on one of the FS servers.

Run Get-AdfsSslCertificate. This showed the thumbprint still “stuck” in ADFS, the old one.

Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).

Restart the ADFS service on both internal FS servers and all was well again.

Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).

Restart the ADFS service

Additionally when using Web Application Proxy(s):

Copy and import the new certificate to the Web Application Proxy/Proxies. Make sure the certificate is imported into the Machine Personal Store.

Switch the certificate on the Web Application Proxy, using the “Set-WebApplicationProxySslCertificate” cmdlet.