How to change an expired token signing cert for Safewhere Identify
Given that the signing certificate for Identify has expired. We want to update it to another new certificate.
We need to follow this:
A. Safewhere Identify v.5.1.0 ++:
From version 5.1.0 ++, we supported a new feature in the configurator to change the signing certificate easily. You can run the configurator and choose Reconfigure an instance option like the image below.
After that process to the next steps to change the signing certificate.
B. Safewhere Identify < v.5.1.0:
- Open the certificate store:
- Import the new certificate file: .pfx or .p12 to LocalMachine\My
- Import the new certificate’s CA to LocalMachine\Trusted Root Certificate Authorities
- Import the public key of the new certificate to LocalMachine\Trusted People
- Grant the Read permission to the private key of the new certificate to the Identity of the application pool for Identify
- Change the signing certificate for IdentifyConfiguration XML of the Identify:
- Run the below SQL script to get the IdentifyConfiguration XML :
SELECT [Id]
,[ClrType]
,[Xml]
FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry]
where id in (
SELECT
[ConfigurationId]
FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[IdentifyConfiguration]
)
GO
- Change the signing certificate in that XML content and run this SQL script like
UPDATE [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry]
SET [Xml] = N'..'
where id in (
SELECT [ConfigurationId]
FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[IdentifyConfiguration]
)
- Change the encryption certificate for WSFED protocol connection whose name is "https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIN/admin/":
Run the SQL script to get the XML content :
- For the Identify whose version is >= 4.3
,[ClrType] ,[Xml] FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry] WHERE id in ( SELECT [ConfigurationId] FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[Connection] WHERE [Name] = 'https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIN/admin/' ) GO- For the Identify whose version is < 4.3
SELECT [Id] ,[ClrType] ,[Xml] FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry] WHERE id in ( SELECT [ConfigurationId] FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ProtocolConnection] WHERE [Name] = 'https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIN/admin/' ) GOChange the signing certificate in that XML and run the below SQL script
- For the Identify whose version is >= 4.3
UPDATE [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry]
SET [Xml] = N'..'
where id in (
SELECT
[ConfigurationId]
FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[Connection]
WHERE [Name] = 'https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIN/admin/'
)
- For the Identify whose version is < 4.3
UPDATE [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ConfigurationEntry]
SET [Xml] = N'..'
where id in (
SELECT
[ConfigurationId]
FROM [Identify].[#REPLACE_THIS_WITH_YOUR_IDENTIFY_SCHEMA].[ProtocolConnection]
WHERE [Name] = 'https://#REPLACE_THIS_WITH_YOUR_TENANT_DOMAIN/admin/'
)
- Access and open the web.config at C:\Program Files\Safewhere\Identify\Tenants[yourtenant]\admin, replace the places which is using the original certificate’s thumbprint value by the new one’s thumbprint value
- Do the same like above with the web.config at C:\Program Files\Safewhere\Identify\Tenants[yourtenant]\service
- Reset the IIS to get the new change to be applied.
- Remember to update/reload metadata in all other RP/IdP that is connected to this Identify instance.