How to replace the O365 signing certificate

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected:  All



    The O365 signing certificate is set on O365 realms and within O365 itself.  This article describes how to replace the certificate with minimal or no downtime. 



    Office365 has a feature that allows it to trust both an old and new signing certificate simultaneously by using the Set-MsolDomainFederationSettings cmdlet with the NextSigningCertificate parameter.  Using this feature allows downtime to be kept to a minimum when the existing certificate expires.



    1. On the IdP open the Certificates MMC and import the new certificate into the same certificate store as the original, then set the private key permissions to match the original certificate:
    2. Open Powershell on the IdP and run these commands, replacing 0086FF183C146A803C with either the serial number or thumbprint of the new certificate:
    $CertToFind = '0086FF183C146A803C'
    $Cert = gci cert:\localmachine\my | ?{$_.thumbprint -eq $CertToFind -or $_.serialnumber -eq $CertToFind}
    $Cert | fl Subject,Issuer,FriendlyName,NotBefore,NotAfter,ThumbPrint,SerialNumber
    $O365Cert = [system.convert]::ToBase64String($cert.GetRawCertData()); $O365Cert
    $O365Cert | Out-File -FilePath .\O365Cert.txt -Force

    3. Check the output to make sure it found the correct certificate.  If it did then proceed, otherwise check your serial number/thumbprint and try again.

    4. If the Microsoft Online Services Module for Windows PowerShell is installed on the IdP skip to step 7. Otherwise continue to the next step.

    5. Copy the O365Cert.txt file to the machine where Microsoft Online Services Module for Windows PowerShell is installed.

    6. Now on the machine where the MSOL module is installed, open PowerShell and CD to the directory where the O365Cert.txt file is located

    7. Run this: 

    $O365Cert = Get-Content -Path .\O365Cert.txt

    8. Now run the following command in PowerShell, replacing with the correct O365 domain name to be updated:

    Set-MsolDomainFederationSettings -DomainName -NextSigningCertificate $O365Cert

    9. Verify that the new settings have taken effect by running:

    Get-MsolDomainFederationSettings -DomainName

    10. Office 365 will now accept either the old or new signing certificate.

    11. Prior to the expiry date of the old signing certificate and when ready, change the signing certificate on the Post Authentication tab of the respective O365 realms on the IdP:

    12. Test that the new signing certificate works.  If an error is received perform an IISRESET on the IdP and test again. 



    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.