Please find the steps below to configure new CA on FAS:

1. Make sure new CAs are Microsoft Enterprise CA, as FAS requires a Microsoft Enterprise CA to generate certs. Multiple CA Servers can be used with FAS, if needed.

2. Run the following powershell commands to make sure FAS server is able to locate your new CA
asnp Citrix*
Get-FasMsCertificateAuthority

3. Check the User rules section on FAS console to get the existing configuration and make a note of it, if needed.

4. Once confirmed, use the FAS console GUI to run the following actions one by one.

Deploy certificate templates
Set up certificate authorities
Authorize this service
Configure user rules [check https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/federated-authentication-service.html#configure-user-rules]

5. Once done, run the following command in powershell to remove any cached user certificates on the FAS server.

Remove-FasUserCertificate -address "fas server fqdn"

Detailed steps:

To change the Certificate Authority (CA) on a Federated Authentication Service (FAS) server, especially when you have two FAS servers in your infrastructure, you can follow these steps:

Procedure to Change CA on FAS Server

1) Verify CA Requirements:

Ensure that the new CA is a Microsoft Enterprise CA, as FAS requires this type to generate certificates. You can use multiple CA servers if needed.

2) Check Current CA Configuration:

Use PowerShell to check which CA servers are currently configured:
asnp Citrix\*
Get-FasMsCertificateAuthority

3) Prepare the New CA:

Ensure that the new CA is set up correctly and is publishing the required certificate templates, such as
Citrix_SmartcardLogon.

4) Deauthorize Existing FAS Servers:

Place the first FAS server into maintenance mode:
Set-FasServer -Address "<FAS_Server_1_FQDN>" -MaintenanceMode $true
Deauthorize the FAS server:
Remove-FasAuthorizationCertificate

5) Authorize the New CA:

In the FAS console, authorize the new CA by running the following commands:
New-FasAuthorizationCertificate
Note the GUID of the new authorization certificate:
Get-FasAuthorizationCertificate

6) Configure the New CA:

Set up the new CA in the FAS console:
Deploy the necessary certificate templates.
Set up the new certificate authority.
Authorize the Federated Authentication Service to use the new CA.

7) Remove Cached Certificates:

Clear any cached user certificates from the FAS server:
Remove-FasUserCertificate -address "<FAS_Server_1_FQDN>"

8) Repeat for the Second FAS Server:

Place the second FAS server into maintenance mode:
Set-FasServer -Address "<FAS_Server_2_FQDN>" -MaintenanceMode $true

Repeat the deauthorization and authorization steps for the second server.

Testing:

After reconfiguring both servers, conduct tests to ensure that they can communicate with the new CA and issue certificates as expected.

9) Take Servers Out of Maintenance Mode:

Finally, take both FAS servers out of maintenance mode:
Set-FasServer -Address "<FAS_Server_1_FQDN>" -MaintenanceMode $false
Set-FasServer -Address "<FAS_Server_2_FQDN>" -MaintenanceMode $false

How to change CA Server on FAS