Given that the signing certificate for Identify has expired. We want to update it to another new certificate.
We need to follow this:
A. Safewhere Identify v.5.1+:
From version 5.1+, we supported a new feature in the configurator to change the signing certificate easily. You can run the configurator and choose Reconfigure an instance option like the image below. After that process to the next steps to change the signing certificate.
B. Safewhere Identify < v.5.1:
- Open the certificate store:
- Import the new certificate file: .pfx or .p12 to LocalMachine\My
- Import the new certificate’s CA to LocalMachine\Trusted Root Certificate Authorities
- Import the public key of the new certificate to LocalMachine\Trusted People
- Grant the Read permission to the private key of the new certificate to the Identity of the application pool for Identify
- Change the signing for IdentifyConfiguration XML of the Identify:
- Run SQL script to get the IdentifyConfiguration XML :
12345678910SELECT [Id],[ClrType],[Xml]FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry]where id in (SELECT[ConfigurationId]FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[IdentifyConfiguration])GO - Change the signing certificate in that xml and run update sql like
123456UPDATE ConfigurationEntrySET [Xml] = N'..'where id in (SELECT [ConfigurationId]FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[IdentifyConfiguration])
- Run SQL script to get the IdentifyConfiguration XML :
- Change the encrypt certificate for WSFED protocol connection of the connection whose name is “https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIn/admin/”:
- Run SQL script to get the XML :
1234567891011SELECT [Id],[ClrType],[Xml]FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry]WHERE id in (SELECT[ConfigurationId]FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[Connection]WHERE [Name] = 'https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIN/admin/')GO - Change the signing certificate in that xml and run update sql like
12345678UPDATE ConfigurationEntrySET [Xml] = N'..'where id in (SELECT[ConfigurationId]FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[Connection]WHERE [Name] = 'https://#yourtenantdomain/admin/')
- Run SQL script to get the XML :
- Access and open the web.config at C:\Program Files\Safewhere\Identify\Tenants\[yourtenant]\admin, replace the places which is using the original certificate’s thumbprint value by the new one’s thumbprint value
- Do the same like above with the web.config at C:\Program Files\Safewhere\Identify\Tenants\[yourtenant]\service
- Reset the IIS to get the new change to be applied.
- Remember to update/reload metadata in all other RP/IdP that is connected to this Identify instance.
* Note: if you are using Identify v4.2 then at step 3, you should use [ProtocolConnection] table instead of [Connection] table