This is another script in my toolbox, I have tweaked it a little to look pretty and work in other environment. The script is used to update certificates on the ADFS server and to update the ADFS signing certificate on Office 365 Federated domains. It’s not in any way a perfect script but gets the work done. Download script here
Video of ADFS script in action;
Syntax:
.\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx .\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx -UpdateSigningandDecrypting .\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx -UpdateSigningandDecrypting -UpdateMSOL .\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx -UpdateSigningandDecrypting -UpdateMSOL -UpdateExchange
Breakdown of script below
#ADFS Certificate Update #Hannel Hazeley #hhazeley@outlook.com #Version 3.0 Param( [Parameter(Mandatory=$true)] $CertPath, [Switch]$UpdateSigningandDecrypting, [Switch]$UpdateMSOL, [Switch]$UpdateExchange ) $ErrorActionPreference = "SilentlyContinue" #Requesting password for PFX file Write-Host $Password = Read-Host -Prompt "Enter the password for your .pfx certificate" -AsSecureString Write-Host #Importing PFX certificate $NewCert = (Import-PfxCertificate –FilePath $CertPath -CertStoreLocation cert:\localMachine\my -Password $Password -Exportable) $ValidateCert = Get-ChildItem -Path cert:\LocalMachine\my | ? {$_.Thumbprint -eq $NewCert.Thumbprint} If ($ValidateCert -ne $null) { If ($UpdateMSOL.IsPresent) { $cred = Get-Credential -UserName $Username -Message "Please enter a Global Admin credential for your O365 Environment." Connect-MsolService -Credential $cred } #Enabling service on newly import certificate Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $NewCert.Thumbprint Set-AdfsSslCertificate -Thumbprint $NewCert.Thumbprint $vthumbprint = (Get-AdfsCertificate -CertificateType Service-Communications).thumbprint If ($vthumbprint -eq $NewCert.Thumbprint) { If ($UpdateSigningandDecrypting.IsPresent) { Write-Host Write-Host -ForegroundColor Yellow 'Working on updating Token-Signing and Token-Decrypting Certificates......' Write-Host Set-AdfsProperties -AutoCertificateRollover $false $CertTypes = "Token-Signing","Token-Decrypting" Foreach ($CertType in $CertTypes) { $oldCert = (Get-AdfsCertificate -CertificateType $CertType| ? {$_.Isprimary -eq $true}) Add-AdfsCertificate -CertificateType $CertType -Thumbprint $NewCert.Thumbprint Set-AdfsCertificate -CertificateType $CertType -Thumbprint $NewCert.Thumbprint -IsPrimary Remove-AdfsCertificate -CertificateType $CertType -Thumbprint $oldCert.Thumbprint } Write-Host Write-Host -ForegroundColor Green 'DONE.... updating Token-Signing and Token-Decrypting Certificates.' Write-Host } Function UpdateMSOL { $vMSOL = (Get-MsolCompanyInformation).displayname If ($vMSOL -ne $null) { Write-Host Write-Host -ForegroundColor Yellow 'Working on updating Office 365 Federated Domains......' Write-Host Set-MsolADFSContext -Computer:$env:COMPUTERNAME $FEDDomains = (Get-MsolDomain | ? {$_.Authentication -eq "Federated"}).name $FEDDomains | % {Update-MSOLFederatedDomain –DomainName:$_ –supportmultipledomain} Write-Host Write-Host -ForegroundColor Green 'DONE...... Office 365 Federated Domains updated' Write-Host } else { Write-Host Write-Host -ForegroundColor Red "The crendtial you supplied for Office 365 was not valid, please update federated domains manually to avoid interuptions in service" Write-Host } } Function UpdateExchange { Write-Host Write-Host -ForegroundColor Magenta 'Run command below on the Exchange environment to update ADFS Certificate thumbprint on Exchnage environment' Write-Host Write-Host -ForegroundColor Cyan Set-OrganizationConfig -AdfsSignCertificateThumbprints $NewCert.Thumbprint Write-Host } #Reset ADFS Services Write-Host Write-Host -ForegroundColor Yellow 'Working on restarting ADFS Services....' Write-Host Restart-Service adfssrv -Force Wrire-host $adfsservers = (Get-ADComputer -Filter {Name -like "001-ev1ad*"}).name $adfsservers = $adfsservers -replace "$ENV:Computername", "$null" If ($adfsservers -ne "$null") { $adfsservers | % {Invoke-Command -ComputerName $_ -ScriptBlock {Restart-Service adfssrv -Force}} } Else { Write-Host Write-host -ForegroundColor Magenta "The primary ADFS Server $ENV:Computername has been updated, no other ADFS server found" Write-Host } Write-Host Write-Host -ForegroundColor Green 'DONE...... ADFS Server Certificate updated' Write-Host If($UpdateMSOL.IsPresent) { UpdateMSOL } If($UpdateExchange.IsPresent) { UpdateExchange } } else { Write-Host Write-Host -ForegroundColor Red "Script aborted Certificate not valid for ADFS use!!!!" Write-Host } } else { Write-Host Write-Host -ForegroundColor Red "Script aborted Certificate not installed correctly on machine!!!!" Write-Host }