SungHoon_Kim

How to manually update the expired signing certificate for O365 federation partnership

Blog Post created by SungHoon_Kim Employee on Sep 28, 2016

If you are the O365 administrator, you might have received an email from "Microsoft Office 365 Team <Office365@microsoftonline.com>" notifying that your certificate will expire.

 

 

 

If the certificate has not expired then you should take planned approach to update the certificate at both Single Sign-On side federation partnership and also the certificate at the Azure side.

 

 

This is to guide you on how to update the certificate.

 

You can see from above that my "kimlabskey" has expired. It is associated with kimlabs365 federation partnership.

The expiration date is same as what the email notification highlighted, it expires on 16/Sep/2016.

 

 

To renew the certificate, you need to have CSR.

 

Send it to your Certificate Authority and get a renewed certificate.

I saved it as "kimlabs-newcert.cer" and in base64 format. <== Yes, please save it in base64 format.

 

The new certificate will expire in 2018.

Logon to Single Sign-On Administrative UI and goto Certificate management.

Locate the certificate and update the certificate.

 

 

You have successfully updated the certificate at the Single Sign-On side.

 

Next is to update the Azure side.

Run the Windows Azure Active Directory Module.

 

Run "Connect-MsolService" and enter your O365 admin credential.

You are now connected to Azure AD.

Run "Get-MsolDomainFederationSettings -DomainName <yourdomain>"

In my case it is "Get-MsolDomainFederationSettings -DomainName kimlabs.net"

Look at the "SigningCertificates" and you will find the expired certificate.

You can see it is stored in base64 format.

 

Open your new renewed certificate in a text editor.

It would have the followings which you must remove.

-----BEGIN CERTIFICATE-----<Carriage Return>

MIIGXXXXXXXXXXXXXXXXXX<Carriage Return>

*********************<Carriage Return>

XXXXX==<Carriage Return>

-----END CERTIFICATE-----<Carriage Return>

<Carriage Return>

 

You MUST have a single line of MIIGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==.

 

At the powershell, run the following.

$cert = "<certificate base64 string>"

You MUST use double quote to wrap it even though it is in 1 line without any whitespace.

 

Update the certificate using the following command.

Set-MsolDomainFederationSettings -DomainName <domainname> -SigningCertificate "$cert"

In my case it would be:

Set-MsolDomainFederationSettings -DomainName kimlabs.net -SigningCertificate "$cert"

Again, you must use the doublequote wrapping the $cert.

 

Run "Get-MsolDomainFederationSettings -DomainName <domainname>" to verify the certificate is successfully updated.

 

Test that you can login.

Outcomes