An often forgotten process (and then it's too late!)
Certificates; they used to be just a piece of paper you were proud receive, hold to take a picture, and then toss them in a drawer and forget all about them! I even got one for participation!
In today's world, the concept of certificates has evolved into cryptographic keys which control the authentication and trust relationship in the digital world that is organization. Losing your certificates, re-keying them or worse accidentally deleting them could be devastating to your business. Knowing how to efficiently manage them and maintain them is a major operational task that needs to be closely monitored and managed within a quality, repeatable, process. More importantly; you need to have a clear operational procedure on how to bring everything back up, should the unthinkable happen!
This is a topic near and dear to our hearts, as recently we had a personal experience at our client in which one of partners organization inadvertently re-keyed a wildcard certificate at a client site; resulting in a mad scramble to resolve the outages. Thank goodness the right team was on the task restoring services as quickly as possible. This 'near death' experience, prompted us to write a this blog to share with all of you this guidance on how it's done in Office 365.
Cloud based Office 365 deployments don't rely on public SSL certificate however when we have a federated identity with ADFS, public SSL certificate will have to be deployed and properly maintained to avoid service interruption.
To renew, or if you accidently rekey your dedicated or shared Office 365 certificate (like it happened to one of our clients recently), follow the steps below to quickly and efficiently reset and recover your certificate based ADFS authenticated Office 365 services;
1. Obtain new or rekeyed certificate
a. Request new public SSL certificate using IIS or Exchange and process or rekey the public SSL certificate through your CA provider
b. Ensure you have a managed process in place to get your certificates re-issued (sometimes re-keying could be fraud)
2. Install new certificate on all AD FS servers
a. Import the new certificate to the Local Machine store on each AD FS and Web Application Proxy server using Windows Certificate MMC
b. On the primary AD FS server, use the following cmdlet to install the new SSL certificate: Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'
3. Install new certificate on all WAP servers
a. On the WAP servers, use the following cmdlet to install the new SSL certificate
Set-WebApplicationProxySslCertificate '<thumbprint of new cert>'
4. Reset Office 365 federation for each of the federated domain
a. Connect to Office 365 PS from the primary ADFS server
Connect-MsolService –Credential $cred
b. Set the MSOL ADFS Context server, to the ADFS primary server
Set-MsolADFSContext –Computer '<primary_adfs_servername.FQDN>'
c. Reset the federated domain
Update-MSOLFederatedDomain –DomainName '<Federated Domain Name>' –supportmultipledomain
Updating Office 365 federation resets the Office 365 ADFS claims and reenables Office 365 SSO (Single Sign On) services.
From a certificate best practice, it is recommended to delete the old/legacy not used certificates and to avoid the use of global wild card certificate that could have wider impact in case of issues.
We would love to have a conversation with you about your certificate maintenance methodology, feel free to drop us a line on firstname.lastname@example.org.