Replace the STS certificate for the on-premises environment
Applies to: SharePoint Server 2013
Topic Last Modified: 2014-01-08
Summary: Learn how to replace a Security Token Service (STS) certificate for an on-premises farm in SharePoint Server 2013.
When SharePoint Server is installed, the Security Token Service (STS) of the on-premises SharePoint Server farm creates a default certificate to validate incoming tokens. When a trust relationship is needed between two SharePoint Server farms, or when a farm is configured to participate in a hybrid environment, you must use a common STS certificate between the trust members.
This article describes how to replace the STS certificate in a SharePoint Server farm.
In a hybrid SharePoint Server environment, Windows Azure Active Directory (AD) service acts as a trusted token signing service for SharePoint Server, and uses the STS certificate as the signing certificate. However, Windows Azure AD cannot use the default STS certificate as a signing certificate because the trust chain of the default certificate is not supported by Windows Azure AD.
Therefore, in a hybrid environment, you must replace the default STS certificate on each farm server with either a certificate issued by a public certification authority (CA) that is trusted by Windows Azure AD, or with a self-signed certificate. This certificate must be at least 2048 bits.
|Public certificates typically expire at 1-year intervals. Therefore it is important to plan in advance for certificate renewals to avoid service interruptions.|
To replace the STS certificate on each server in the SharePoint Server 2013 farm, follow these steps:To replace the STS certificate
Verify that the user account running this procedure is a member of the Farm Administrators group.
Click Start > Run.
Type mmc, and then press ENTER. If a User Account Control dialog box is displayed, click Yes.
Go to File > Add/Remove Snap-in > Certificates > Add > Computer account > Next > Finish, and then click OK.
Click the plus sign to expand Certificates, right-click Trusted Root Certification Authorities > All Tasks > Import.
Click Next. The Welcome to the Certificate Import Wizard dialog box is displayed.
Click Browse. Select the *.cer file name you want to import, click Open, and then click Next.
Under Certificate Store, click Place all certificates in the following store, make sure Trusted Root Certification Authorities is chosen, and then click Next.