Troubleshooting HTTP.SYS – How delete old SSL cert?

Symptom: On internal ADFS server the new SSL certificate has been replaced using the set-adfssslcertificate cmdlet, but the get-adfssslcertificate still display the old thumbprint and @myolddomain.com

 This error cause error on Azure AD health connect

Solution:

There is not special ADFS cmdlet to remove this old thumbprint. The solution is to use NETSH HTTP to manage HTTP.SYS web server.

Reference: netsh commands for HTTP: https://msdn.microsoft.com/fr-fr/library/windows/desktop/cc307236(v=vs.85).aspx

Netsh http show sslcert                               ; to list all SSL bindings

In our case, we want to remove all bindings associated to adfslab.myolddomain.com:443

Solution:

In general the command is : Netsh http delete sslcert ipport=w.x.y.z:443

In our case :

Netsh http delete sslcert hostnameport=adfslab.myolddomain.com:443

Netsh http delete sslcert hostnameport=adfslab.myolddomain.com:49443

Check with get-adfssslcertificate cmdlet