Updating the Token Decryption Certificate
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1
You can update the token decryption certificate, as needed. Because the token decryption certificate is the SSL certificate for the Active Directory Rights Management Services (AD RMS) cluster, you must update the token decryption certificate if you change the cluster SSL certificate, for example before it is about to expire. After you update the token decryption certificate, you must grant the AD RMS Services group permission to access the certificate on all servers in the AD RMS cluster.
Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To update the token decryption certificate
Log on to a server in the AD RMS cluster.
Open the Active Directory Rights Management Services snap-in and expand the AD RMS cluster.
Expand Trust Policies, and then click Microsoft Federation Gateway Support.
In the pane, click Configure Microsoft Federation Gateway settings.
In the Enroll Cluster with Microsoft Federation Gateway wizard, click Update Microsoft Federation Gateway Settings, select Update Token Decryption Certificate, and then click Browse.
In the Select Certificate dialog box, select the SSL certificate of the AD RMS cluster, and then click Select. For information about which certificate to select, see Important considerations for installing AD RMS Microsoft Federation Gateway Support.
Click Next, and then click Finish.
On all servers in the AD RMS cluster, do the following.
Open the Active Directory Rights Management Services console and expand the AD RMS cluster.
In the console tree, expand Trust Policies, and then click Microsoft Federation Gateway Support.
In the Actions pane, click Grant permissions to token decryption certificate on this server.
Note
If this link is not present in the Actions pane, the necessary permission has already been granted on this server.