Renew High Trust Certificate

Table of Contents

Following article describes steps needed to register new self-signed certificate used for the communication between KanBo and SharePoint (High trust certificate). Please follow these instructions in case your old self-signed certificate expired.

Step 1

Generate a new self-signed certificate.

Go to the IIS Server Manager, click on your server and choose Server Certificates. From the menu on the right side choose “Create self-signed certificate”, pick a name for your certificate and follow the next steps to create it. After the certificate has been created save it to a file by following these steps:

  1. Select -> Click on “Export” -> Follow the steps to save it as a .pfx file in a chosen location (we will use the location later when configuring the app)
  2. Select -> Click on “View” -> Details -> Copy to file -> Save it as a .cer file in the same location as the .pfx file
  3. Install certificate to LocalMachine store (DoubleClick it). Ensure certificate exist under Personal tree using Manage computer certificates (certlm).

Step 2

In order to remove the old certificate, launch SharePoint Management Shell. Please replace the parts in {} with your data and respect order of performing the commands.

Remove-SPTrustedRootAuthority -Identity {id of the KanBo high certificate form the results
from previous command}
Remove-SPTrustedSecurityTokenIssuer -Identity {id of the KanBo high certificate
from previous command}

You can check it result in the Central Administration -> Security -> Manage High Trust

Step 3

Now you can register the certificate in SharePoint. Replace the parts in {} with your data.

$publicCertPath = "{the path to your self-signed certificate .cer file ex. c:\certs\cert.cer}"
$issuerID = "{Issuer ID from web.config}"
$authorityName = "{Your chosen authority name ex. KanBoServerAppsCerts}"
$certificate = Get-PfxCertificate $publicCertPath
New-SPTrustedRootAuthority -Name $authorityName -Certificate $certificate
$realm = Get-SPAuthenticationRealm
$fullIssuerIdentifier = $issuerId + '@' + $realm
New-SPTrustedSecurityTokenIssuer -Name $authorityName -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier -IsTrustBroker

Step 4

In case your organization is using a local certificate which is configured in the appSettings 
instead of using the signer-attribute in the authentication-section, please perform the following change in the web.config file.

If your KanBo is older than 2.7.6, remove or comment entry with key="thumbprint" value="{Thumbprint}" store-name="my" store-location="localmachine" valid-only="false" /> and replace it with

<signer type="X509SignerFromFile" file="{C:\certs\yourcertname.pfx}" key="{CertificatePassword}" /> 

If your KanBo is newer than 2.7.6, remove or comment entry withkey="thumbprint" value="{Thumbprint}" store-name="my" store-location="localmachine" valid-only="false" /> and replace it with

  <signer type="x509-file" file="{PathToPFXCert}" key="{PassForCert} />

You KanBo should start working good now.