SecureAuth IdP Version Affected: All
Description:
The O365 signing certificate is set on O365 realms and within O365 itself. This article describes how to replace the certificate with minimal or no downtime.
Cause:
Office365 has a feature that allows it to trust both an old and new signing certificate simultaneously by using the Set-MsolDomainFederationSettings cmdlet with the NextSigningCertificate parameter. Using this feature allows downtime to be kept to a minimum when the existing certificate expires.
Resolution:
$CertToFind = '0086FF183C146A803C'
$Cert = gci cert:\localmachine\my | ?{$_.thumbprint -eq $CertToFind -or $_.serialnumber -eq $CertToFind}
$Cert | fl Subject,Issuer,FriendlyName,NotBefore,NotAfter,ThumbPrint,SerialNumber
$O365Cert = [system.convert]::ToBase64String($cert.GetRawCertData()); $O365Cert
$O365Cert | Out-File -FilePath .\O365Cert.txt -Force
3. Check the output to make sure it found the correct certificate. If it did then proceed, otherwise check your serial number/thumbprint and try again.
4. If the Microsoft Online Services Module for Windows PowerShell is installed on the IdP skip to step 7. Otherwise continue to the next step.
5. Copy the O365Cert.txt file to the machine where Microsoft Online Services Module for Windows PowerShell is installed.
6. Now on the machine where the MSOL module is installed, open PowerShell and CD to the directory where the O365Cert.txt file is located
7. Run this:
$O365Cert = Get-Content -Path .\O365Cert.txt
8. Now run the following command in PowerShell, replacing domainname.com with the correct O365 domain name to be updated:
Connect-MsolService
Set-MsolDomainFederationSettings -DomainName domainname.com -NextSigningCertificate $O365Cert
9. Verify that the new settings have taken effect by running:
Get-MsolDomainFederationSettings -DomainName domainname.com
10. Office 365 will now accept either the old or new signing certificate.
11. Prior to the expiry date of the old signing certificate and when ready, change the signing certificate on the Post Authentication tab of the respective O365 realms on the IdP:
12. Test that the new signing certificate works. If an error is received perform an IISRESET on the IdP and test again.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.