How to use Let’s Encrypt certificates for ADFS and WAP by Bas Wijdenes

Encrypt the ADFS login page with Let’s Encrypt certificates.

In my previous post I tell you about how you can use a Let’s Encrypt Certificate for WAC, IIS, and ADFS.

The WAC post has already been created, and you can view it here.
And with this post, also the ADFS tutorial.

If we look back at the previous post for a moment; we add a website to IIS, the domain name must be the same as your ADFS login page.

This could be, for example, sts.DOMEIN.com. Then use sts.DOMEIN.com in IIS, if it does not match the subdomain you use in ADFS, your certificate will be invalid!

Temporarily adding the website to IIS has no consequences for DNS. You could make a re-direct if necessary.

For the first part of the tutorial I’d like to refer you to this blog post.


Importing a Let’s Encrypt certificate in ADFS and WAP.

If you followed the steps in the previous blog post, you should now have a Certificate on the management server, or a corresponding server where you followed these steps.

Make sure you export the certificate and have it on a file share.

I will show you in the following steps how you can update the ADFS and WAP servers from 1 server.

I assume that you are using ADFS on a Windows 2016 server. If this is not the case, you must also install the certificate on the secondary ADFS server.

I assume in all steps that you have medior knowledge of Certificates, ADFS, and WAP. And that you also know how PowerShell works.


Configure Let’s encrypt certificate in ADFS with PowerShell.

If all goes well, you have already put the certificate on a file share.

I always open the C-drive of the Active Directory Federation Services (ADFS) server and create a temp folder here.
Then I copy / paste the exported certificate to \\ADFSERVERNAME\C$\temp.

Now go to start and open PowerShell_ISE in an elevated prompt (right mouse-click > Run as Administrator).

Copy / paste the following command into PowerShell_ISE and adjust the server name.

Enter-PSSession -ComputerName ADFSERVERNAME

You have now set up a connection to the ADFS Server. We can now import the certificate.

Use the following command here and adjust the password.

$passwrd = "PASSWORD"
$passwrd = ConvertTo-SecureString -string $passwrd -AsPlainText -Force
Import-PfxCertificate -FilePath C:\temp\test.bwb.cloud.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $passwrd

For more about the cmdlet Import-PfxCertificate click here.

we have now imported the certificate on the ADFS Server and can continue to configure the certificate in ADFS itself via PowerShell.

If you use windows 2012r2, you must run it on your primary and secondary ADFS server. With Windows 2016, you only need to do this on your primary ADFS server.

When importing the certificate you see the thumbprint. only copy 2 characters before and after the last characters. This way you can not copy a space.

So suppose this is my thumbprint:
6838EC7D672F6B943B4FE51AE7629FDD19AAC58D

Then I copy 38EC7D672F6B943B4FE51AE7629FDD19AAC5 and type in 68 and 8D.

Set-AdfsSslCertificate -Thumbprint 6838EC7D672F6B943B4FE51AE7629FDD19AAC58D

Click here for more about Set-AdfsCertificate.

Copy / paste the following commando and change the thumbprint.

Set-AdfsSslCertificate -Thumbprint 6838EC7D672F6B943B4FE51AE7629FDD19AAC58D

Click here for more about Set-AdfsSslCertificate.

Why do we need to use two different commando’s to change the ADFS Certificate? Well.. Jason Vallery gave a good explanation about that one.

“After a bit of digging I uncovered the Get-AdfsSslCertificate and Set-AdfsSslCertificate. Sure enough when I executed Get-AdfsSslCertificate the thumbprint of the original expired certificate was returned.   This is because the change in the ADFS management console only updates the ADFS configuration database. It does not change the binding in HTTP.SYS. Since 2012R2 has no IIS dependency there is no user interface to manage the SSL certificate binding. As a result we must use powershell to do it.”

We now use the correct certificate within ADFS. Now we only have to change it in the Web Application Proxy (WAP) Servers.

Use the following command to close the connection to the ADFS server.

Exit-PSSession

Configure Let’s encrypt certificate in WAP with PowerShell.

Do the following steps on all WAP servers. This is not synchronized.

Because the WAP servers are not within the domain, you must first add them to the trusted hosts before you can reach them. You can do this with PowerShell.

Use the following command on your management server and change the value to the IP address of your WAP server.

Set-Item WSMan:\localhost\Client\TrustedHosts -Value IPADDRESSWAPSERVER

If you now go to \\WAPSERVER\C$, you will be asked for credentials.
Use the local admin credentials of the WAP server.

Copy / paste the exported certificate to \\WAPSERVER\C$\temp.

We’ll have to start an Enter-PSSession again, but with a WAP server that is a little different.

Copy / paste the comand. Run it with F5 and give in the local admin credentials for the WAP server.

$Cred = Get-Credential

Enter-PSSession -ComputerName WAPSERVERNAME -Credential $Cred

You have now set up a connection to the WAP Server. We can now import the certificate.

Use the following command here and adjust the password.

$passwrd = "PASSWORD"
$passwrd = ConvertTo-SecureString -string $passwrd -AsPlainText -Force
Import-PfxCertificate -FilePath C:\temp\test.bwb.cloud.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $passwrd

We’ve imported the certificate and need to set the Web Application Proxy SSL certificate now.
You can use the following command to change the certificate in the WAP server.

Set-WebApplicationProxySslCertificate -Thumbprint 6838EC7D672F6B943B4FE51AE7629FDD19AAC58D

Now go to Portal.office.com and check if your certificate is the correct Let’s encrypt certificate.

Let's encrypt for ADFS and WAP
Let’s encrypt for ADFS and WAP.

By checking the certificate you can test whether the correct certificate is shown. As you can see in my screenshot, the correct certificate shows and I can verify that the change is successful.


A little extra

This post contains PowerShell. Would you like to learn the basics better? I have created a new website to learn basic PowerShell in an ’emulator’ environment.
Click here to go learn Basic PowerShell.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

2 thoughts on “How to use Let’s Encrypt certificates for ADFS and WAP by Bas Wijdenes”

  1. Hi,

    Thanks for such a nice post and Step by step process..

    This SSL certificate will expire after 90 Day.. then what??
    How to auto renew and auto install on ADFS and WAP??

    any pointer on that??

  2. What about using the LetsEncrypt Certificate for signing SAML requests and responses from ADFS or the Relying Party?

    Is there a powershell command I can use to update those or should I rely on ADFS getting the new certificate from the updated metadata at the service provider?

Leave a Reply

Your email address will not be published. Required fields are marked *