Previous Topic: Export Your Policy Server Signing CertificateNext Topic: Install and Configure the CA SiteMinder Agent for SharePoint

Agent for SharePoint GuideHow to Request and Install a Policy Server Token Signing CertificateAdd a Policy Server Signing Certificate to Policy Servers and Create a Trust File

Add a Policy Server Signing Certificate to Policy Servers and Create a Trust File

CA CA SiteMinder requires a certificate to complete signing the WS-Token. CA CA SiteMinder signs the WS-Token and sends it to SharePoint. To create a certificate for the WS-Token, import an existing certificate that contains both a private and a public key. After the certificate has been imported to the key store and been assigned an alias, export the certificate to your SharePoint Central Administration server to create a trust certificate.

This certificate often uses the Public-Key Cryptography Standards #12 (PKCS) format. In the following example, the password protects the PKCS#12 file.

Note: On Windows operating environments, a .pfx file is equivalent to a .p12 file.

Follow these steps:

  1. Log on to the Administrative UI.
  2. Add the Policy Server signing certificate to the Policy Servers with the following steps:
    1. Click Infrastructure, X509 Certificate Management, Trusted Certificates and Private Keys.

      The trusted certificates and private keys screen appears.

    2. Click Import New.

      The Import Certificate/Private key wizard starts.

    3. Click the Browse button, navigate to the certificate that you want to import, and then click Next.
    4. Enter the password with which you previously exported the certificate, and then click Next.
    5. Highlight the text in the Alias field, and then type a new Alias for the certificate.
    6. Click Next.
    7. Review the information that is shown on the confirmation screen, and then click Finish.

      The Policy Server signing certificate is added the central key store on the Policy Servers. The Policy Server signing certificate appears in the list that is shown on the Administrative UI.

  3. Create a trust certificate for your SharePoint central administration server with the following steps:
    1. Locate the certificate from Step 2g in the list.
    2. Click the Action drop-down list, and then choose Export.

      The Export Key Store Entry screen appears.

    3. Verify that the following value appears in the format drop-down list: 
      X509-DER
    4. Click Export.
    5. Save the certificate to another location.

      The trust certificate for your SharePoint central administration server is created.

  4. Copy the certificate from Step 3e to a directory on your SharePoint central administration server. This certificate is the trust certificate.
  5. Copy any Certificate Authority Certificates in the certificate chain to a directory on your SharePoint central administration server.

    Note: The Powershell script (which the SharePoint connection wizard creates) requires the paths to the following certificates on your SharePoint central administration server:

More information:

Modify the PowerShell Script

Provide the Policy Server Signing Certificate Files to Your Agent Owner

The system hosting the CA SiteMinder Agent for SharePoint needs a copy of Policy Server signing certificate. This copy helps the CA SiteMinder Agent for SharePoint validate the WS-Fed tokens that the Policy Server sends. The certificate chain validates the Policy Server signing certificate.

Provide the following files to the administrator of the system that hosts the CA SiteMinder Agent for SharePoint:

More information:

Install the Policy Server Signing Certificate on your CA SiteMinder Agent for SharePoint

Provide the Certificate Files to Your SharePoint Administrator

The SharePoint central administration server needs a copy of Policy Server signing certificate. This copy helps the central administration server validate the WS-Fed tokens that the CA SiteMinder Agent for SharePoint forwards from the Policy Server. The certificate chain validates the Policy Server signing certificate.

The SharePoint administrator must edit the PowerShell script that the SharePoint connection wizard generates to include references to these certificate files.

Provide the following files to the SharePoint administrator:

More information:

How to Configure the Trusted Identity Provider