Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script that will check if the Signing certificate is updated on ADFS and update SharePoint SPTrustedIdentityTokenIssuer
<#
.Synopsis
Update ADFS Signing Certificate
.DESCRIPTION
This script will check if the ADFS signing certificate is different from the one known in SharePoint and update it
.EXAMPLE
.\Update-ADFSSigningCert.ps1 -FSUrl fs.arjancornelissen.nl -StsName prodfs
.EXAMPLE
.\Update-ADFSSigningCert.ps1 -FSUrl fs.arjancornelissen.nl -StsName prodfs -DryRun
This will run the script but does not apply anything
#>
param(
[Parameter(Mandatory=$true)]
$FSUrl,
[Parameter(Mandatory=$true)]
$StsName,
[switch] $DryRun
)
#Load module SharePoint
asnp *sh*
$metadataUrl = "https://$FSUrl/federationmetadata/2007-06/federationmetadata.xml"
try
{
[xml]$metadataDoc = (Invoke-WebRequest $metadataUrl).Content
}
catch
{
Write-Error "There was an error downloading the metadata: $($_)"
return
}
$adfsSTS = Get-SPTrustedIdentityTokenIssuer $StsName -ErrorAction SilentlyContinue -ErrorVariable "myErrors"
if ($myErrors -ne $null)
{
$msg = $myErrors[0].Exception.Message
Write-Error "Could not get the ADFS STS in SharePoint: $msg"
return
}
$newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$enc = [System.Text.Encoding]::UTF8
$sts = $metadataDoc.EntityDescriptor.RoleDescriptor| where {$_.type -eq "fed:SecurityTokenServiceType"}
# How many signing certs?
$signCount = ($sts.KeyDescriptor| ? {$_.use -eq "signing"}|measure).count
if ($signCount -eq 1)
{
$certB64 = $sts.KeyDescriptor.KeyInfo.X509Data.X509Certificate
$newCert.Import($enc.GetBytes($certB64))
Write-Host "Only one ADFS Signing cert:" $newCert.Subject
}
else
{
$certB64 = $sts.KeyDescriptor[0].KeyInfo.X509Data.X509Certificate
$certB64 = $metadataDoc.EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate
$newCert.Import($enc.GetBytes($certB64))
Write-Host "Primary ADFS Signing cert:" $newCert.Subject
}
if ($newCert.Thumbprint -ne $null -and -not $adfsSTS.SigningCertificate.Equals($newCert))
{
# Do we need to add the new cert as CA in SharePoint?
if ((Get-SPTrustedRootAuthority | ? {$_.Certificate.Thumbprint -eq $newCert.Thumbprint}) -eq $null)
{
Write-Host "Adding the ADFS cert" $newCert.Subject "to the SharePoint trust store"
If ($DryRun)
{
Write-Warning "DryRun: not adding the certificate"
}
Else
{
New-SPTrustedRootAuthority -Name $newCert.Subject -Certificate $newCert
}
}
else
{
Write-Warning "NOT adding the ADFS cert $($newCert.Subject) to the SharePoint trust store because it is already there"
}
# Set the cert in the STS
Write-Host "Setting the certificate in the ADFS STS"
If ($DryRun)
{
Write-Warning "DryRun: not changing the certificate in the STS"
}
Else
{
$adfsSTS | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $newCert
}
}
else
{
Write-Warning "The ADFS primary certificate is already the same as in the SharePoint ADFS STS"
}
# Example
# UpdateADFSMetadata -FSUrl "fs.test.local" -StsName "ADFS" -DryRun
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.