Updating a Microsoft Federation Gateway Support Certificate

Updated: February 15, 2011

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

You can update the token decryption certificate or the Microsoft Federation Gateway certificate, as needed. Because the token decryption certificate is the SSL certificate for the Active Directory Rights Management Services (AD RMS) cluster, you must update the token decryption certificate if the cluster SSL certificate expires. After you update the token decryption certificate, you must grant the AD RMS Services group permission to access the certificate on all servers in the AD RMS cluster.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  1. Do one of the following:

    • To update the token decryption certificate using the default AD RMS cluster certificate, at the Windows PowerShell command prompt, type:

      Update-RmsMfgEnrollment -TokenCert

    • To update the token decryption certificate by using a different certificate, at the Windows PowerShell command prompt, type:

      Update-RmsMfgEnrollment -TokenCert -CertificateThumbprint<thumbprint>

      where <thumbprint> is a string containing the thumbprint hash of the certificate being used to enroll with the Microsoft Federation Gateway.

    ImportantImportant
    If you use a certificate that contains a subject alternate name (SAN), the last entry in the SAN list must be the fully qualified domain name of the domain you want to enroll with the Microsoft Federation Gateway.

  2. On all servers in the AD RMS cluster, perform the task described in Granting the AD RMS Service Group Permission to the SSL Certificate.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  • At the Windows PowerShell command prompt, type:

    Update-RmsMfgEnrollment -SigningCert

See Also

Community Additions

ADD
Show: