Do I update just the Token-signing? The Token-Decrypting is rarely used but its presence means that relying party that consumes the ADFS metadata will alert about expiration of the cert.Do I use the self signing on cert or a public cert? Using the public cert is an unnecessary overhead and I wouldn’t recommend it.There are some preambles we should discuss These certificates will expire and this post is about renewing the certs. It is rarely used.įor this post I am going to focus on the Token certificate. Token-Decrypting - This x.509 cert used to encrypt the payload of a SAML token before its encrypted again at the SSL transport layer.Token-Signing - This x.509 cert is used to sign the token sent to the relaying party to prove that it indeed came from AD FS.Service Communications - This SSL cert is used to encrypt all client connectivity to the AD FS server.
