/Update-ADFSSigningCert.ps1
Created Sep 11, 2016
Script that will check if the Signing certificate is updated on ADFS and update SharePoint SPTrustedIdentityTokenIssuer
| <# | |
| .Synopsis | |
| Update ADFS Signing Certificate | |
| .DESCRIPTION | |
| This script will check if the ADFS signing certificate is different from the one known in SharePoint and update it | |
| .EXAMPLE | |
| .\Update-ADFSSigningCert.ps1 -FSUrl fs.arjancornelissen.nl -StsName prodfs | |
| .EXAMPLE | |
| .\Update-ADFSSigningCert.ps1 -FSUrl fs.arjancornelissen.nl -StsName prodfs -DryRun | |
| This will run the script but does not apply anything | |
| #> | |
| param( | |
| [Parameter(Mandatory=$true)] | |
| $FSUrl, | |
| [Parameter(Mandatory=$true)] | |
| $StsName, | |
| [switch] $DryRun | |
| ) | |
| #Load module SharePoint | |
| asnp *sh* | |
| $metadataUrl = "https://$FSUrl/federationmetadata/2007-06/federationmetadata.xml" | |
| try | |
| { | |
| [xml]$metadataDoc = (Invoke-WebRequest $metadataUrl).Content | |
| } | |
| catch | |
| { | |
| Write-Error "There was an error downloading the metadata: $($_)" | |
| return | |
| } | |
| $adfsSTS = Get-SPTrustedIdentityTokenIssuer $StsName -ErrorAction SilentlyContinue -ErrorVariable "myErrors" | |
| if ($myErrors -ne $null) | |
| { | |
| $msg = $myErrors[0].Exception.Message | |
| Write-Error "Could not get the ADFS STS in SharePoint: $msg" | |
| return | |
| } | |
| $newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 | |
| $enc = [System.Text.Encoding]::UTF8 | |
| $sts = $metadataDoc.EntityDescriptor.RoleDescriptor| where {$_.type -eq "fed:SecurityTokenServiceType"} | |
| # How many signing certs? | |
| $signCount = ($sts.KeyDescriptor| ? {$_.use -eq "signing"}|measure).count | |
| if ($signCount -eq 1) | |
| { | |
| $certB64 = $sts.KeyDescriptor.KeyInfo.X509Data.X509Certificate | |
| $newCert.Import($enc.GetBytes($certB64)) | |
| Write-Host "Only one ADFS Signing cert:" $newCert.Subject | |
| } | |
| else | |
| { | |
| $certB64 = $sts.KeyDescriptor[0].KeyInfo.X509Data.X509Certificate | |
| $certB64 = $metadataDoc.EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate | |
| $newCert.Import($enc.GetBytes($certB64)) | |
| Write-Host "Primary ADFS Signing cert:" $newCert.Subject | |
| } | |
| if ($newCert.Thumbprint -ne $null -and -not $adfsSTS.SigningCertificate.Equals($newCert)) | |
| { | |
| # Do we need to add the new cert as CA in SharePoint? | |
| if ((Get-SPTrustedRootAuthority | ? {$_.Certificate.Thumbprint -eq $newCert.Thumbprint}) -eq $null) | |
| { | |
| Write-Host "Adding the ADFS cert" $newCert.Subject "to the SharePoint trust store" | |
| If ($DryRun) | |
| { | |
| Write-Warning "DryRun: not adding the certificate" | |
| } | |
| Else | |
| { | |
| New-SPTrustedRootAuthority -Name $newCert.Subject -Certificate $newCert | |
| } | |
| } | |
| else | |
| { | |
| Write-Warning "NOT adding the ADFS cert $($newCert.Subject) to the SharePoint trust store because it is already there" | |
| } | |
| # Set the cert in the STS | |
| Write-Host "Setting the certificate in the ADFS STS" | |
| If ($DryRun) | |
| { | |
| Write-Warning "DryRun: not changing the certificate in the STS" | |
| } | |
| Else | |
| { | |
| $adfsSTS | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $newCert | |
| } | |
| } | |
| else | |
| { | |
| Write-Warning "The ADFS primary certificate is already the same as in the SharePoint ADFS STS" | |
| } | |
| # Example | |
| # UpdateADFSMetadata -FSUrl "fs.test.local" -StsName "ADFS" -DryRun |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment