Updating a Microsoft Federation Gateway Support Certificate

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

You can update the token decryption certificate or the Microsoft Federation Gateway certificate, as needed. Because the token decryption certificate is the SSL certificate for the Active Directory Rights Management Services (AD RMS) cluster, you must update the token decryption certificate if the cluster SSL certificate expires. After you update the token decryption certificate, you must grant the AD RMS Services group permission to access the certificate on all servers in the AD RMS cluster.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To update the token decryption certificate

  1. Do one of the following:

    • To update the token decryption certificate using the default AD RMS cluster certificate, at the Windows PowerShell command prompt, type:

      Update-RmsMfgEnrollment -TokenCert

    • To update the token decryption certificate by using a different certificate, at the Windows PowerShell command prompt, type:

      Update-RmsMfgEnrollment -TokenCert -CertificateThumbprint<thumbprint>

      where <thumbprint> is a string containing the thumbprint hash of the certificate being used to enroll with the Microsoft Federation Gateway.

Important

If you use a certificate that contains a subject alternate name (SAN), the last entry in the SAN list must be the fully qualified domain name of the domain you want to enroll with the Microsoft Federation Gateway.

  1. On all servers in the AD RMS cluster, perform the task described in Granting the AD RMS Service Group Permission to the SSL Certificate.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To update the Microsoft Federation Gateway certificate

  • At the Windows PowerShell command prompt, type:

    Update-RmsMfgEnrollment -SigningCert

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Configuring Microsoft Federation Gateway Support
Enrolling with the Microsoft Federation Gateway

Other Resources

Understanding AD RMS Trust Policies
Understanding the Microsoft Federation Gateway