How to change an expired token signing cert for Safewhere Identify

Given that the signing certificate for Identify has expired. We want to update it to another new certificate.

We need to follow this:

A. Safewhere Identify v.5.1.0 ++:

From version 5.1.0 ++, we supported a new feature in the configurator to change the signing certificate easily. You can run the configurator and choose Reconfigure an instance option like the image below.


After that process to the next steps to change the signing certificate.




B. Safewhere Identify < v.5.1.0:

  1. Open the certificate store:
    • Import the new certificate file: .pfx or .p12 to LocalMachine\My
    • Import the new certificate’s CA to LocalMachine\Trusted Root Certificate Authorities
    • Import the public key of the new certificate to LocalMachine\Trusted People
    • Grant the Read permission to the private key of the new certificate to the Identity of the application pool for Identify
  2. Change the signing certificate for IdentifyConfiguration XML of the Identify:
    • Run  the below SQL script to get the IdentifyConfiguration XML :
    • Change the signing certificate in that XML content and run this SQL script like
  3. Change the encryption certificate for WSFED protocol connection whose name is "https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIN/admin/":
    • Run the SQL script to get the XML content :
      • For the Identify whose version is >= 4.3
      • For the Identify whose version is < 4.3
    • Change the signing certificate in that XML and run the below SQL script
        • For the Identify whose version is >= 4.3
        • For the Identify whose version is < 4.3
  4. Access and open the web.config at C:\Program Files\Safewhere\Identify\Tenants\[yourtenant]\admin, replace the places which is using the original certificate’s thumbprint value by the new one’s thumbprint value
  5. Do the same like above with the web.config at C:\Program Files\Safewhere\Identify\Tenants\[yourtenant]\service
  6. Reset the IIS to get the new change to be applied.
  7. Update the new certificate info on the XMLConfiguration of the tenant at the dbo.tenant on the IdentifyTenant database.
  8. Remember to update/reload metadata in all other RP/IdP that is connected to this Identify instance.