Why isn't my ADFS SSL certificate updating?

After spending more time on this then I care to admit I figured I'd write this up on my blog.   The SSL certificate expired in one of my ADFS for Windows Server 2012R2 environments.   Logically you would expect that you can do this via the ADFS management console and clicking "Set Service Communication Certificate".    I set the cert and restarted ADFS however users were still getting the original expired cert.   

 

 

After a bit of digging I uncovered the Get-AdfsSslCertificate and Set-AdfsSslCertificate.    Sure enough when I executed Get-AdfsSslCertificate the thumbprint of the original expired certificate was returned.   This is because the change in the ADFS management console only updates the ADFS configuration database.    It does not change the binding in HTTP.SYS.    Since 2012R2 has no IIS dependency there is no user interface to manage the SSL certificate binding.   As a result we must use powershell to do it.

 

Relevant TechNet link: https://technet.microsoft.com/en-us/library/dn479374.aspx