Previous Topic: Configure Web Applications That Use NTLM AuthenticationNext Topic: CA DataMinder Content Classification Service and the CA SiteMinder® Agent for SharePoint


Replace the (WS-Fed) token signing certificates

You can replace your (WS-Fed) token signing certificates when they expire or if they have been revoked.

This workflow graphic describes How to Replace the (WS-Fed) Token Signing Certificates--OTH

Follow these steps:

  1. Remove the expired certificate from your IIS web server.
  2. Add the new certificates.
  3. Install the Policy Server signing certificate on your CA SiteMinder® Agent for SharePoint.
  4. Re-configure the trusted identity provider.

Remove the expired certificate from your IIS web server

When the token-signing certificate expires, remove it from your IIS web server.

Follow these steps:

  1. Log in to your IIS web server.
  2. Click Start, Administrative Tools, Internet Information Services (IIS).
  3. Under Connections, expand your web server, and then double-click Server Certificates.

    A list of certificates appears.

  4. Right-click the expired certificate, and then pick Delete.
  5. Close the IIS Manager.
  6. Open a command-prompt window that has administrator privileges.
  7. Run the following command:
    iisreset
    

    The expired certificate is removed.

Add the new certificates

Add a new certificate to replace the expired one in your CA SiteMinder® Agent for SharePoint environment.

Follow these steps:

  1. Create a certificate request for a server certificate on an IIS web server.
  2. Submit your certificate request to a certificate authority.
  3. Approve a certificate request using active directory certificate services.
  4. Complete your certificate request.
  5. Verify your approval and download your certificate and certificate chain.
  6. Export your policy server signing certificate.
  7. Add a policy server signing certificate to policy servers and create a trust file.

Install the Policy Server Signing Certificate on your Proxy Server

The CA SiteMinder® Agent for SharePoint uses an embedded Apache web server. Install the Policy Server signing certificate you want to use for your SharePoint Connection. We recommend using a certificate signed by a Certificate Authority. After copying the certificate and related key files to your CA SiteMinder® Agent for SharePoint, edit the configuration file for the embedded Apache web server.

Follow these steps:

  1. Copy the certificate files and related key files to your Agent for SharePoint.
  2. Open the following file with a text editor:
    Agent-for-SharePoint_home\httpd\conf\extra\httpd-ssl.conf
    
  3. Edit the following directives in the file to point to your certificate and related key files (respectively):

Re-configure the trusted identity provider

CA SiteMinder® trusted identity providers use the following SSL certificates to encrypt their communications with the CA SiteMinder® Policy Server:

When any of the previous certificates expire, you can replace them with valid certificates.

The following illustration describes how to replace the certificates of your CA SiteMinder® trusted identity provider:

SM--Replace the Certificates of your SiteMinder trusted identity provider--OTH

Follow these steps:

  1. Replace the certificates on your servers.
  2. Verify that your account has the required permissions.
  3. Open a SharePoint 2010 management shell window on your SharePoint central administration server.
  4. Identify your CA SiteMinder® trusted identity provider.
  5. Create a Windows PowerShell script to update the certificates.
  6. Add the new certificates to your CA SiteMinder® trusted identity provider.