Renew token signin certificate for Office 365 and Azure Active Directory when you have a non windows federate service

Posted: January 10, 2019 | Author: | Filed under: Office 365, Office365 | Leave a comment

A few days ago I had to renew the token signin certificate in the Security Token Service (non windows) deployed on premises.

In this case the Security Token Service was running under F5 BIG-IP Access Policy Manager: Authentication and Single Sign-On

Once I did it, the question was,

Should i do anything else in Azure and O365 to maintain the trust federation?

If you have a Windows Federation Service, typical Known as ADFS, you don´t need to do any extra task.

By default, ADFS includes an auto-renewal process called AutoCertificateRollover.

If you have ADFS 2.0 or later, Office 365 and Azure AD automatically update your certificate before it expires when AutoCertificateRollover is set to True.

You can check this value running the cmdlet Get-ADFSProperties

But in this case the answer to this question is YES.

I don´t have a Windows Federation Service, so I had to do an extra task to update my signin certificate in order to maintain the Trust Federation.

At this point I am going to explain what I did.

First at all, I saved the new certificate as pf-signing.crt in my computer in the following path: c:\temp

I opened a new file in notepad and added the following lines:

Note: Be in mind to put your Office 365 domain name first.

$certFile = “C:\temp\pf-signing.cr”

$cert = [IO.File]::ReadAllText($certFile)

$cert = $cert.replace(“—–BEGIN CERTIFICATE—–“,””)

$cert = $cert.replace(“—–END CERTIFICATE—–“,””)

$cert = $cert.replace(“`r”,””)

$cert = $cert.replace(“`n”,””)

$domainName = “myO365domain”

$protocol = “SAMLP”

Set-MsolDomainFederationSettings -DomainName “$domainName” -SigningCertificate “$cert” -PreferredAuthenticationProtocol $protocol

Then I saved it as a PowerShell script file cert-update.ps1 in C:\temp folder.

Then I opened Azure Active Directory Module for Windows PowerShell to connect to my Office 365 tenant with admin credentials

This can be done by running connect-msolservice

And finally I runned the PowerShell script created above in the local path: c:\temp

.\cert-update.ps1