Project Work Hours
Sat & Sun 6am - 9am
Subscribe via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

This is another script in my toolbox, I have tweaked it a little to look pretty and work in other environment.  The script is used to update certificates on the ADFS server and to update the ADFS signing certificate on Office 365 Federated domains. It’s not in any way a perfect script but gets the work done. Download script here

20151025 - AFDSCertUpdate1

 

Video of ADFS script in action;


Syntax:

.\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx
.\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx -UpdateSigningandDecrypting
.\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx -UpdateSigningandDecrypting -UpdateMSOL
.\ADFSCertUpdate.ps1 -CertPath .\W12E13-StartSSL.pfx -UpdateSigningandDecrypting -UpdateMSOL -UpdateExchange

Breakdown of script below

#ADFS Certificate Update
#Hannel Hazeley
#hhazeley@outlook.com
#Version 3.0

 Param(
 [Parameter(Mandatory=$true)]
 $CertPath,
 [Switch]$UpdateSigningandDecrypting,
 [Switch]$UpdateMSOL,
 [Switch]$UpdateExchange
 )

$ErrorActionPreference = "SilentlyContinue"

#Requesting password for PFX file
Write-Host
$Password = Read-Host -Prompt "Enter the password for your .pfx certificate" -AsSecureString
Write-Host

#Importing PFX certificate 
$NewCert = (Import-PfxCertificate –FilePath $CertPath -CertStoreLocation cert:\localMachine\my -Password $Password -Exportable)

$ValidateCert = Get-ChildItem -Path cert:\LocalMachine\my | ? {$_.Thumbprint -eq $NewCert.Thumbprint}
If ($ValidateCert -ne $null)
{

If ($UpdateMSOL.IsPresent)
{
$cred = Get-Credential -UserName $Username -Message "Please enter a Global Admin credential for your O365 Environment."
Connect-MsolService -Credential $cred
}


#Enabling service on newly import certificate
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $NewCert.Thumbprint
Set-AdfsSslCertificate -Thumbprint $NewCert.Thumbprint

$vthumbprint = (Get-AdfsCertificate -CertificateType Service-Communications).thumbprint
If ($vthumbprint -eq $NewCert.Thumbprint)
{

If ($UpdateSigningandDecrypting.IsPresent)
{
Write-Host
Write-Host -ForegroundColor Yellow 'Working on updating Token-Signing and Token-Decrypting Certificates......'
Write-Host
Set-AdfsProperties -AutoCertificateRollover $false
$CertTypes = "Token-Signing","Token-Decrypting"
Foreach ($CertType in $CertTypes)
{
$oldCert = (Get-AdfsCertificate -CertificateType $CertType| ? {$_.Isprimary -eq $true})
Add-AdfsCertificate -CertificateType $CertType -Thumbprint $NewCert.Thumbprint
Set-AdfsCertificate -CertificateType $CertType -Thumbprint $NewCert.Thumbprint -IsPrimary
Remove-AdfsCertificate -CertificateType $CertType -Thumbprint $oldCert.Thumbprint 
}
Write-Host
Write-Host -ForegroundColor Green 'DONE.... updating Token-Signing and Token-Decrypting Certificates.'
Write-Host
}


Function UpdateMSOL
{
$vMSOL = (Get-MsolCompanyInformation).displayname
If ($vMSOL -ne $null)
{
Write-Host
Write-Host -ForegroundColor Yellow 'Working on updating Office 365 Federated Domains......'
Write-Host
Set-MsolADFSContext -Computer:$env:COMPUTERNAME
$FEDDomains = (Get-MsolDomain | ? {$_.Authentication -eq "Federated"}).name
$FEDDomains | % {Update-MSOLFederatedDomain –DomainName:$_ –supportmultipledomain}
Write-Host
Write-Host -ForegroundColor Green 'DONE...... Office 365 Federated Domains updated'
Write-Host
}
else
{
Write-Host
Write-Host -ForegroundColor Red "The crendtial you supplied for Office 365 was not valid, please update federated domains manually to avoid interuptions in service"
Write-Host
}

}

Function UpdateExchange
{
Write-Host
Write-Host -ForegroundColor Magenta 'Run command below on the Exchange environment to update ADFS Certificate thumbprint on Exchnage environment'
Write-Host
Write-Host -ForegroundColor Cyan Set-OrganizationConfig -AdfsSignCertificateThumbprints $NewCert.Thumbprint
Write-Host
}

#Reset ADFS Services
Write-Host
Write-Host -ForegroundColor Yellow 'Working on restarting ADFS Services....'
Write-Host
Restart-Service adfssrv -Force
Wrire-host
$adfsservers = (Get-ADComputer -Filter {Name -like "001-ev1ad*"}).name
$adfsservers = $adfsservers -replace "$ENV:Computername", "$null"
If ($adfsservers -ne "$null")
{
$adfsservers | % {Invoke-Command -ComputerName $_ -ScriptBlock {Restart-Service adfssrv -Force}}
}
Else
{
Write-Host
Write-host -ForegroundColor Magenta "The primary ADFS Server $ENV:Computername has been updated, no other ADFS server found"
Write-Host
}
Write-Host
Write-Host -ForegroundColor Green 'DONE...... ADFS Server Certificate updated'
Write-Host


If($UpdateMSOL.IsPresent)
{
UpdateMSOL
}

If($UpdateExchange.IsPresent)
{
UpdateExchange
}

}
else
{
Write-Host
Write-Host -ForegroundColor Red "Script aborted Certificate not valid for ADFS use!!!!"
Write-Host
}
}
else
{
Write-Host
Write-Host -ForegroundColor Red "Script aborted Certificate not installed correctly on machine!!!!"
Write-Host
}