Certifytheweb on ADFS server

Hi,
I’ve used Certifytheweb on several IIS webservers and it works great. Now I’d like to use it on my ADFS server. It’s still running on a Windows Server 2012 R2 so ADFS is not based on IIS. Still I’ve installed IIS on this machine, so I could use Certifytheweb and get a new SSL certificate installed in IIS.
However that’s not the end of the procedure since it also requires the configuration of the certificate in ADFS itself via Powershell. You need to find the thumbprint of the new certificate and then run the following command : Set-AdfsSslCertificate -Thumbprint xxxxx…

I’d like to automate these last steps so that the renewal procedure becomes completely automated, starting with Certifytheweb requesting a new certificate on expiry, and a running a script that finds the thumbprint and setting it in adfs.

Let me know if you know how to accomplish this ?

Thanks

Hi, we do support Scripting (Show Advanced Options > Scripting) using powershell, more about that here: https://docs.certifytheweb.com/docs/script-hooks.html

By default we pass in a parameter to your script which is an object containing useful information like the certificate path, thumbprint etc. So it sounds like you would need:

param($result)   

# set certificate thumbprint for Adfs
Set-AdfsSslCertificate -Thumbprint $result.ManagedItem.CertificateThumbprintHash

You don’t strictly need IIS installed as Certify The Web has a built in http-challenge server which will temporarily bind to port 80 listening for /.well-known/acme-challenge/ requests during validation.

Hi Christopher,
Thanks for the reply. Setting up a PowerShell script likely make it work.
However I came across another challenge with ADFS server : it intercepts all http and https requests to the ADFS logon page that we put it place. So the Certifytheweb client cannot validate by using http, because it cannot connect to the IIS default website where the challenge file is created. Also the built in http-challenge server doesn’t help to correct the problem either : all validation request get redirected to ADFS.
Do you know how to make this work ?
Thanks
Joeri

Hi Joeri,

Sorry I don’t really know anything about ADFS or how it is configured.

As you say the built in http challenge server should solve the problem without needing IIS, unless it’s prevented from doing so (i.e. something else that doesn’t use http.sys like apache or nginx is consuming port 80, or ADFS has it’s own http listener that is consuming all requests).

If it’s too difficult to get http validation working you can switch to DNS validation (under Authorization), ither using a supported DNS API or by scripting the API updates yourself (https://docs.certifytheweb.com/docs/dns-scripting.html)

Hi

I finally got it working by using the following script :

param($result)

set certificate thumbprint for Adfs

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $result.ManagedItem.CertificateThumbprintHash
Set-AdfsSslCertificate -Thumbprint $result.ManagedItem.CertificateThumbprintHash
Restart-Service adfssrv

However the Set-AdfsCertificate command is not executed. When I run it manually it works. Any insight why it is not running this command ?

Thanks
Joeri

When the script runs it will run as Local System ( the background service user) so that may(?) be affecting the ability to run the Adfs command, the other possibility is that you may need your script to import a module before running the command. You mentioned that the command is not executed, but presumably you don’t get an error which implies that it is getting executed but it’s not doing anything (or you have to restart the server for it to take effect?).

I had another look at this problem and in the CertifyTheWeb logs there is following message : Set-AdfsCertificate: The specified directory service attribute or value does not exist.
However when I run the command manually it works. I found other similar scripts on Google that use the same commands to change the adfs certificate. No import modules or Add-PSSnapIn is used in those scripts, so that confirms that I haven’t forgotten anything to include.
So it must be that is runs with Local System, which doesn’t seem to have the ability to run Set-AdfsCertificate. I’m quite new to PowerShell so can you tell me how I can run this script with local admin rights ?
Thanks