Export (0) Print
Expand All

Replace the STS certificate for the on-premises environment

SharePoint 2013
 

Applies to: SharePoint Server 2013

Topic Last Modified: 2014-04-25

Summary: Learn how to replace a Security Token Service (STS) certificate for an on-premises farm in SharePoint Server 2013.

This article describes how to replace the SharePoint security token service (STS) certificate in a SharePoint Server farm.

When SharePoint Server is installed, the Security Token Service (STS) of the on-premises SharePoint Server farm creates a default certificate to validate incoming tokens. When a trust relationship is needed between two SharePoint Server farms, or when a farm is configured to participate in a hybrid environment, you must use a common STS certificate between the trust members.

If you haven’t already done this, you have to either buy or create a new STS certificate. For production environments, we recommend that you buy a new STS certificate from a public Certificate Authority (CA). This gives you the highest level of certificate security, and reduces the possibility that a self-signed certificate will have integration issues with other applications and services. You can use a self-signed certificate for test or pilot environments.

ImportantImportant:
Public certificates usually expire after 1 year. So plan in advance for certificate renewals to avoid service interruptions. This certificate must be at least 2048 bit encryption. If a certificate is purchased from a CA and you’re using it in a SharePoint hybrid environment, it must be trusted by Azure AD, which is the directory service that is used by Office 365. The good news is that most public root CAs are trusted by Azure AD.

When replacing the STS certificate on the SharePoint Server 2013 farm, you’ll have to know the following information about the new STS certificate.

  • File name of the certificate (*.cer file) and the location where it’s stored.

  • File name of the certificate (*.pfx file) and the location where it’s stored.

  • STS certificate’s friendly name.

  • Password of the certificate.

 

Edit icon

If you’re configuring a SharePoint hybrid environment, and you’ve already purchased a certificate from a CA or created a self-signed certificate, then these variables should be listed in Table 4a of the worksheet.

The last procedure in this article, which is done in PowerShell, restarts Internet Information Services (IIS) and the SharePoint Timer (SPTimerV4) service. This will interrupt the service of your SharePoint Server farm.

CautionCaution:
Because the procedures are run on each front-end web and application server in the farm, it’s important that you plan to do that procedure during a maintenance window.

In a hybrid SharePoint Server environment, Azure Active Directory (AD) service acts as a trusted token signing service for SharePoint Server, and uses the STS certificate as the signing certificate. But, Azure AD, which is used as the directory service for Office 365, can’t use the default STS certificate as a signing certificate because the trust chain of the default certificate is not supported by Azure AD.

Therefore, you must replace the default STS certificate on each front-end web and application server in the SharePoint Server farm with either a certificate that’s issued by a public certification authority (CA) or with a self-signed certificate.

ImportantImportant:
This certificate must be at least 2048 bits encryption. If a certificate is purchased from a CA, it must be trusted by Azure AD The good news is that most public root CAs are trusted by Azure AD.

If you purchased your certificate from a CA or have already created a self-signed certificate, then go to Replace the STS certificate. Otherwise, you can use the following procedures to create a self-signed certificate.

In this step, you’ll create a new self-signed SSL certificate to use as your STS certificate. You'll create the new certificate in two file formats:

  • .pfx, which contains the private key.

  • .cer, which does not contain the private key.

You’ll use the IIS Manager when you do this, as illustrated by the following figure.

This picture shows where to click in IIS manager to create a self-signed certificate

This figure illustrates IIS Manager

To generate a self-signed certificate as a Personal Information Exchange (.pfx) file and then export it as a .cer file, use the IIS snap-in to follow these steps:

Create the self-signed certificate as a .pfx file
  1. On a web server in your SharePoint Server farm, click Start -> Administrative Tools -> Internet Information Services (IIS) Manager.

  2. Click on the name of your server.

  3. In the details pane, double-click Server Certificates under IIS.

  4. In the Actions pane, click Create Self-Signed Certificate.

  5. On the Specify Friendly Name page, specify a friendly name for the certificate, and then click OK.

     

    Edit icon

    If you’re configuring a SharePoint hybrid environment, record the certificates friendly name in the STS Certificate Friendly Name row of Table 4a of the worksheet.

  6. In the details pane, right-click the new certificate, and then click Export.

  7. In Export Certificate, specify a path and name to store the .pfx file for the certificate in Export to, and a password for the certificate file in Password and Confirm password. This creates a .pfx file that contains the private key.

     

    Edit icon

    If you’re configuring a SharePoint hybrid environment, do the following:

    • Record the location and filename of this certificate to the STS Certificate path\filename (*.pfx file) row of table 4a of the worksheet.

    • Record the password to the STS Certificate Password row of table 4a of the worksheet.

  8. Click Finish, and then click OK twice.

Export the self-signed certificate as a .cer file
  1. On the same server, click Start -> Administrative Tools -> Internet Information Services (IIS) Manager.

  2. Click on the name of your server.

  3. In the details pane, double-click Server Certificates (under IIS).

  4. Right-click the new certificate you created in the last step, and then click View.

     

    Edit icon

    If you’re configuring a SharePoint hybrid environment, the certificate’s friendly name is in the STS Certificate Friendly Name row of Table 4a of the worksheet.

  5. On the Details tab, click Copy to File.

  6. Click Next on the wizard.

  7. On the Export Private Key page, ensure that No, do not export the private key is selected and then click Next.

  8. On the Export File Format page, choose DER encoded binary X.509 (.CER), and then click Next.

  9. On the Export Certificate page, type a path and file name for the .cer file, and then click Next.

     

    Edit icon

    If you’re configuring a SharePoint hybrid environment, record the path and filename of this certificate in the STS Certificate path\filename (*.cer file) row of Table 4a of the worksheet.

  10. Click Finish, and then click OK twice.

To replace the STS certificate on each server in the SharePoint Server 2013 farm, you have to complete the following two procedures in the order shown:

  • Replace the STS certificate in the certificate store.

  • Update the settings of the SharePoint security token service (STS) identity provider.

To replace the STS certificate in the Windows certificate store, follow these steps on each server in the SharePoint Server 2013 farm.

To replace the STS certificate in the certificate store
  1. Verify that the user account running this procedure is a member of the Farm Administrators group.

  2. Click Start > Run.

  3. Type mmc, and then press ENTER. If a User Account Control dialog box is displayed, click Yes.

  4. Go to File > Add/Remove Snap-in > Certificates > Add > Computer account > Next > Finish, and then click OK.

  5. Click the plus sign to expand Certificates, right-click Trusted Root Certification Authorities > All Tasks > Import.

  6. Click Next. The Welcome to the Certificate Import Wizard dialog box is displayed.

  7. Click Browse. Select the *.cer file name you want to import, click Open, and then click Next.

  8. Under Certificate Store, click Place all certificates in the following store, make sure Trusted Root Certification Authorities is chosen (as shown in the following picture) and then click Next.

    Illustrates the name of the certificate store to be chosen
  9. Click Finish.

  10. Repeat steps 1 through 9 on the other front-end web and application servers in the SharePoint Server farm.

In this procedure, you will update the settings of the STS service.

CautionCaution:
Do this procedure during a maintenance window because after replacing the STS certificate on each farm server, you need to restart IIS and the SharePoint timer service. This will interrupt the service of your SharePoint Server 2013 farm.
To replace a STS certificate by using SharePoint 2013 Management Shell
  1. Log on to a server in your SharePoint Server farm.

  2. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  3. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • On the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  4. Copy the following values of the following variable declarations, that are specific to your organization, and paste them into a text editor like Notepad.

    • <path to replacement certificate (.pfx file)>
      e.g. c:\certificates\NewSTScert.pfx

    • <certificate password>

     

    Edit icon

    If you’re configuring a SharePoint hybrid environment, the following variables are listed in these rows of Table 4a of the worksheet:

    • STS Certificate path\filename (*pfx file)

    • STS Certificate Password

  5. At the Windows PowerShell command prompt, paste the following commands:

    $pfxPath = "<path to replacement certificate (.pfx file)>"
    $pfxPass = "<certificate password>"
    $stsCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $pfxPath, $pfxPass, 20
    Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $stsCertificate
    certutil -addstore -enterprise -f -v root $stsCertificate
    iisreset
    net stop SPTimerV4
    net start SPTimerV4
    
    
    NoteNote:
    These commands will not display any output if they are successful.
  6. To validate this step, on each server in the farm, at the Windows PowerShell command prompt type:

    $stsCertificate |fl
    
    

    In the output on the screen, confirm that the certificate has the new friendly name.

     

    Edit icon

    If you’re configuring a SharePoint hybrid environment, the friendly name of this certificate should be listed in the STS Certificate Friendly Name row of Table 4a of the worksheet.

  7. Repeat steps 1 through 6 on each remaining front-end web and application server in the SharePoint Server 2013 farm.

For more information about how to replace the STS certificate in a SharePoint Server 2013 farm, see Configure the security token service (http://go.microsoft.com/fwlink/?LinkId=392352).

If you aren’t configuring a SharePoint hybrid environment, then you’re done. Otherwise, you need to also upload the STS certificate to the Office 365 tenant.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft