Windows Identity Foundation–Updating an expired issuer certificate

Because Windows Identity Foundation (aka STS) requires a non expired certificate to work, when a certificate expires, you will start getting errors such as

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

There are quite a few steps to fix this if you are running your own STS provider

 

For the STS provider

1. Start up Management Console (mmc.exe)
2. Add the Certificates Snap In for Computer Account (Add/Remove Snap In, Select Certificates, Computer Account)
3. Import the new certificate into the Personal\Certificate Branch (right click, import)
   IMPORTANT: Make sure the certificate which you are importing has the private key inside
4. Type out the thumbprint (Details\Thumbprint).
   IMPORTANT: DO NOT COPY AND PASTE, this will cause the same error to occur

For the STS Consumer

1. Update the Federation Metadata, using the command below

   "C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\FedUtil.exe" /u "[PATH to Web.config]" /o "[Path to Log File]" /m "[Federation Metadata Location]"

   eg: "C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\FedUtil.exe" /u "D:\Websites\sts\web.config" /o "D:\Websites\sts\UpdateLog.txt" /m https://stsprovider/FederationMetadata/2007-06/FederationMetadata.xml

2. Paste and replace the typed thumbprint from the provider inside the web.config file (microsoft.identitymodel –> service –> issuerNameRegistry –> trustedIssuers)
3. Save and test