ADFS Certificates Test
In Active Directory Federation Services (AD FS) farm, various certificates are used to provide secure communication and facilitate user authentications between Internet clients and federation servers. Each federation server must have a service communication certificate and a token-signing certificate before it can participate in AD FS communications. The following certificate types are associated with federation server:
-
Token-signing certificate
-
Service communication certificate
-
Secure Sockets Layer (SSL) certificate
-
Token-decryption certificate
These certificates are important to ensure secure access and communication between clients and federation servers. If an active certificate suddenly expires, communication will no longer take place. To avoid this, administrators should proactively identify certificates nearing expiry and renew the certificates. This is where the ADFS Certificates test helps.
This test auto-discovers all active certificates used by the target AD FS server and computes how long each active certificate will remain valid, and proactively alerts administrators if any certificate is nearing expiry.
Target of the test : An AD FS server
Agent deploying the test : An external agent
Outputs of the test : One set of results for each certificate used by the AD FS server
Parameters | Description |
---|---|
Test Period |
How often should the test be executed. |
Host |
The host for which the test is to be configured. |
Port |
The port at which the AD FS server listens. |
Measurement | Description | Measurement Unit | Interpretation |
---|---|---|---|
Days to expire |
Indicates the number of days by which this certificate will expire. |
Number |
A high value is desired for this measure. A very low value indicates that the certificate is about to expire very soon. You may want to consider renewing the certificate before this eventuality strikes. |
The detailed diagnosis of the Days to expire measure reveals the name of subject and issuer of the certificate. In addition, administrators can also find out the thumbprint, the time stamp at which the certificate expires, the version of the certificate and the friendly name assigned to the certificate.
Figure 1 : The detailed diagnosis revealed by the days to expire measure