Updating the X.509 Certificate of a Trusted Identity Provider in SharePoint 2010/2013
Many times I have been asked by customers about how it is possibile to update an X.509 Certificate bundled with a Trusted Identity Provider. It is a common request, and a common need … because certificates expire based on a schedule.
Here you can see a sample PowerShell code excerpt to update the certificate of a trusted IP:
Add-PSSnapin Microsoft.SharePoint.PowerShell -erroraction SilentlyContinue
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Certificates\IPSTS.cer”)
New-SPTrustedRootAuthority -Name “IPSTS Certificate for 2013” -Certificate $cert
Set-SPTrustedIdentityTokenIssuer -Identity “IPSTS” -ImportTrustCertificate $cert
Assuming that the X.509 certificate is saved in a file with path C:\Certificates\IPSTS.cer and the trusted IP is named “IPSTS” in SharePoint.
Meanwhile, in order to register the trusted IP for the first time, you should use the following PowerShell script:
Add-PSSnapin Microsoft.SharePoint.PowerShell -erroraction SilentlyContinue
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Certificates\IPSTS.cer”)
New-SPTrustedRootAuthority -Name “IPSTS Certificate for 2013” -Certificate $cert
$map0 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “Email” -SameAsIncoming
$map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
$realm = “http://www.company.com/_trust/default.aspx”
$signinurl = “https://www.ipsts.demo/Identity/Issue.aspx”
$ip = New-SPTrustedIdentityTokenIssuer -Name “IPSTS” -Description “IPSTS” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map0,$map1 -SignInUrl $signinurl -IdentifierClaim $map0.InputClaimType
And to remove the trusted IP you should use:
Remove-SPTrustedIdentityTokenIssuer -Identity “IPSTS”