AD FS Certificates

All AD FS Services should use a Public certificate, because we use it for external Third party services management and we use it so other Device outside Our local network can Access these Third party services.

This means we have to publish Our AD FS Service to external network and for them to rely on us, we use Public certificates.

I recommend not only use the Public certificate for Service Communcations, but also for token signing and decrypting.

From a Security perspective it doesn’t matter as it is the same Private Key used in the Public certificate as in the self-signed certificate created upon installing and configuring AD FS.

The self-signed certificates will be renewed by the AD FS Service using its AutoCertificateRollover, but Third party services as Office 365 will still bug global administrators that the certificate is about to expire. Unecessary and annoying if you allways get this when using the service.

Therefore I tend to use the Public certificate for token signing and decrypting, so they will expire the same time as Your Service Communcation Certificate.

Phewer changes as we tend to buy Public certificates lasting longer then 1 year.


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts