Agent for SharePoint Guide › Advanced Configuration Options › Replace the (WS-Fed) token signing certificates
Replace the (WS-Fed) token signing certificates
You can replace your (WS-Fed) token signing certificates when they expire or if they have been revoked.
Follow these steps:
- Remove the expired certificate from your IIS web server.
- Add the new certificates.
- Install the Policy Server signing certificate on your CA SiteMinder® Agent for SharePoint.
- Re-configure the trusted identity provider.
Remove the expired certificate from your IIS web server
When the token-signing certificate expires, remove it from your IIS web server.
Follow these steps:
- Log in to your IIS web server.
- Click Start, Administrative Tools, Internet Information Services (IIS).
- Under Connections, expand your web server, and then double-click Server Certificates.
A list of certificates appears.
- Right-click the expired certificate, and then pick Delete.
- Close the IIS Manager.
- Open a command-prompt window that has administrator privileges.
- Run the following command:
iisreset
The expired certificate is removed.
Add the new certificates
Add a new certificate to replace the expired one in your CA SiteMinder® Agent for SharePoint environment.
Follow these steps:
- Create a certificate request for a server certificate on an IIS web server.
- Submit your certificate request to a certificate authority.
- Approve a certificate request using active directory certificate services.
- Complete your certificate request.
- Verify your approval and download your certificate and certificate chain.
- Export your policy server signing certificate.
- Add a policy server signing certificate to policy servers and create a trust file.
Install the Policy Server Signing Certificate on your Proxy Server
The CA SiteMinder® Agent for SharePoint uses an embedded Apache web server. Install the Policy Server signing certificate you want to use for your SharePoint Connection. We recommend using a certificate signed by a Certificate Authority. After copying the certificate and related key files to your CA SiteMinder® Agent for SharePoint, edit the configuration file for the embedded Apache web server.
Follow these steps:
- Copy the certificate files and related key files to your Agent for SharePoint.
- Open the following file with a text editor:
Agent-for-SharePoint_home\httpd\conf\extra\httpd-ssl.conf
- Edit the following directives in the file to point to your certificate and related key files (respectively):
- SSLCertificateFile
- SSLCertificateKeyFile
Re-configure the trusted identity provider
CA SiteMinder® trusted identity providers use the following SSL certificates to encrypt their communications with the CA SiteMinder® Policy Server:
- A certificate authority certificate (CA-certificate or root certificate).
- An x.509 certificate (signing certificate).
When any of the previous certificates expire, you can replace them with valid certificates.
The following illustration describes how to replace the certificates of your CA SiteMinder® trusted identity provider:
Follow these steps:
- Replace the certificates on your servers.
- Verify that your account has the required permissions.
- Open a SharePoint 2010 management shell window on your SharePoint central administration server.
- Identify your CA SiteMinder® trusted identity provider.
- Create a Windows PowerShell script to update the certificates.
- Add the new certificates to your CA SiteMinder® trusted identity provider.
Copyright © 2014 CA.
All rights reserved.
|
|