Windows Identity Foundation–Updating an expired issuer certificate
Because Windows Identity Foundation (aka STS) requires a non expired certificate to work, when a certificate expires, you will start getting errors such as
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
There are quite a few steps to fix this if you are running your own STS provider
For the STS provider
- Start up Management Console (mmc.exe)
- Add the Certificates Snap In for Computer Account (Add/Remove Snap In, Select Certificates, Computer Account)
- Import the new certificate into the Personal\Certificate Branch (right click, import)
IMPORTANT: Make sure the certificate which you are importing has the private key inside - Type out the thumbprint (Details\Thumbprint).
IMPORTANT: DO NOT COPY AND PASTE, this will cause the same error to occur
For the STS Consumer
- Update the Federation Metadata, using the command below
"C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\FedUtil.exe" /u "[PATH to Web.config]" /o "[Path to Log File]" /m "[Federation Metadata Location]"
eg: "C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\FedUtil.exe" /u "D:\Websites\sts\web.config" /o "D:\Websites\sts\UpdateLog.txt" /m https://stsprovider/FederationMetadata/2007-06/FederationMetadata.xml
- Paste and replace the typed thumbprint from the provider inside the web.config file (microsoft.identitymodel –> service –> issuerNameRegistry –> trustedIssuers)
- Save and test