Wednesday, January 8, 2014

Update certificate on SharePoint 2010

I recently needed to update the certificate issued by our ADFS server on our dev/QA SharePoint 2010.

I found few posts online with good pointers, but not one of them solved my issue, so I came to compile a list of actions I did to fix the certificate and make it work.

I cannot say if some steps are not needed or wrong, but this is what I did exactly on 2 environments and worked on both, step by step:

On ADFS server

Run PowerShell

Add-PSSnapin Microsoft.Adfs.PowerShell
set-adfsproperties -CertificateDuration 730
update-adfscertificate -CertificateType: Token-Signing -Urgent:$True
update-adfscertificate -CertificateType: Token-Decrypting -Urgent:$True

Open ADFS management

export both signing and decrypting certificate to .cer file
copy the cer files to your SharePoint 2010 machine


On SharePoint

Windows Explorer

Install both certificates in trusted root by right clicking on them –> install certificate. Choose location “trusted root authority”


Run PowerShell

(I used signing certificate in power shell):
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\test\adfs-signing.cer")
-- copy the id at the end of the printout, replace it in the following command:
Set-SPTrustedRootAuthority -Identity "[id]" -Certificate $cert
-- copy the name at the end of the printout, place it in the following command:
Set-SPTrustedIdentityTokenIssuer "[Name]" -ImportTrustCertificate $cert

On central admin

Go to security, manage trust
Update 2 certificates there (click on them, click edit, upload the new .cer files)
Delete "local" and recreate it in power shell:

Run PowerShell

$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert

Complete, verify

Run IISRESET – very important!

Pray, finger crossed, tell your wife you love her and make sure no one in the world is angry at you

Open browser and try to login to your HTTPs site using ADFS and if you did everything right it should work.

Like I said, it was working for me on our dev/QA environments, so I am not asking questions – if you have comments on something I should/could have done different, feel free to leave a comment.

Good luck.

No comments: