When using ADFS 3.0, the Token-Signing Certificate that is generated during setup is, and can be, a Self-Signed Certificate. By default, the Token-Signing Certificate will expire 1 year after it is created. It will also automatically roll-over 2 weeks before expiration if Certification roll-over is not disabled.

The following steps will set the Token-Signing Certificate to expire less often and also remove Certification roll-over.

Instructions

1. On the AD FS server, open PowerShell.
 
2. Use the following commands to update the ADFS configuration to use new Certificate settings and generate new certificates. This will create new Token-Signing and Token-Decrypting certificates. You will need to update ShareFile's X.509 certificate.

1. Set-ADFSProperties -CertificateDuration (# of days) *Sets cert to expire in X amount of days (Example: “Set-AdfsProperties -CertificateDuration 1095” for 3 years)

2. Update-AdfsCertificate -CertificateType Token-Decrypting –Urgent *Recreates the Token-Decrypting Certificate

3. Update-AdfsCertificate -CertificateType Token-Signing –Urgent *Recreates the Token-Signing Certificate

4. Set-ADFSProperties -AutoCertificateRollover $false  *Disables Certificate Roll-Over

3. Open AD FS Management and verify Certificates have changed

4. Export the Token-Signing Certificate and copy it into ShareFile for the X.509 certificate. (https://citrix.sharefile.com/d/sa874646cf7042e29 Pages 10-18)