1. Remove (delete) the old cert using MMC on the CRM web servers & ADFS servers. Verify removal of the cert by reviewing your IIS https bindings. We found that if we did not remove the old one first, application of the new one would not work.
2. Add the new cert to the ADFS server first. Import new cert into MMC cert snapins console. Be sure your 'AppPool user account' has read permissions. You also need to be sure that the 'ADFS service user account' has full permissions to the cert. Bind new cert to https in IIS. From your cmd line, perform an IISReset.
3. Add the new cert to your CRM web application servers...all of them if there's more than one. Import new cert into MMC cert snapins console. Be sure your 'AppPool user account' has read permissions. Bind new cert to https in IIS. From your cmd line, perform an IISreset.
4. On your ADFS server, update the cert in ADFS Mgmt Console. Under Service > certificates > Set service communications certificate to new cert.
5. Back again to your CRM web servers, fire up the 'Configure Claims Wizard', update to the new certificate, and apply.
6. On the ADFS server, in the ADFS Mgmt Console, under 'Trust Relationships', update relying trust federation metadata for all instances.
Posted in DevOps