Managing Certificates

EmpowerID provides a utility application, the EmpowerID Certificate Manager, that you can use to view and manage the various certificates used in your deployment. These certificates include everything from the Server and SSL certificates to third party certificates used in a federated partnership, as well as personal certificates issued to individual users. When you open the utility, it displays any certificates currently stored in the Identity Warehouse and provides functionality for importing, generating and validating certificates.

EmpowerID stores each certificate in the CertificateStore table of the EmpowerID Identity Warehouse.

To import certificates

  1. Open the EmpowerID Certificate Manager utility. In a default installation of EmpowerID, the path to the executable is location at "C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.CertificateManager.exe"

  2. From the Import tab of the EmpowerID Certificate Manager, select the appropriate method for importing the certificate and follow the dialogs for that method. For example, if you are importing a certificate from file, select Upload from Certificate File and then browse for the file.

  3. Enter a password for the certificate and click Ok.

To generate test certificates

  1. From the Generate tab of the EmpowerID Certificate Manager, select the appropriate method for the type of certificate you want to generate. For example, if you want to generate an X509 certificate, you select X509 Certificate.
  2. From the Certificate Information pane, do the following:
    1. Type a password for the certificate in the Password field.
    2. Specify the Output Folder for the certificate file by clicking the Browse button and selecting the desired folder.
    3. Optionally, select whether to import the generated certificate to the either the EmpowerID Certificate Store, the Local Certificate Store or both.
    4. When ready, click Generate.

      After completing the operation, the EmpowerID Certificate Manager displays the results in the Certificate Details pane.

To validate certificates

  1. From the Validate tab of the EmpowerID Certificate Manager, select the appropriate Browse Certificate method that corresponds to the location of the certificate. For example, if you want to validate a certificate from file, click Select from Certificate File and then browse for the file.

  2. Type the password for the certificate in the Password field and click Ok.

  3. From the Certificate Purpose pane, select either Federation or SSL.
  4. Click Validate.

    After completing the operation, the EmpowerID Certificate Manager displays the results in the Validation Summary pane.

If the certificate does not meet All of the requirements specified in the Certificate Requirements topic, the validation operation will fail.

To update SSL certificates

Follow these steps when you need to replace the SSL certificate used for EmpowerID. To update the certificate, use the EmpowerID Configurator. In a default installation of EmpowerID, the path to the executable is location at "C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.Configurator.exe"

  1. Open the EmpowerID Configurator, and on the Web Server tab, next to SSL Certificate, click Browse.

  2. Select Browse certificate file and click OK, then navigate to the new certificate file and select it, then click Save and close the Configurator.
  3. Add the certificate to the Personal Certificate Store on each EmpowerID web and app server by doing the following. 

    1. Copy the certificate file to each server as needed.
    2. On each server, open mmc and from the File menu, click Add/Remove Snap-in.
    3. In the Add or Remove Snap-ins dialog, select Certificates and then click Add.

    4. Select the Certificates snap-in and then click Add.

    5. From the Certificates snap-in dialog that appears, select Computer account and then click Next.

    6. Select Local computer and then click Finish.

    7. Click OK to close the Add or Remove Snap-Ins dialog.

    8. In the mmc console tree, expand the Certificates (Local Computer) node.
    9. Right-click the Personal node, point to All Tasks, and then click Import.

    10. In the Certificate Import Wizard that appears, click Next.

    11. On the File to Import page, click Browse.

    12. Locate and select the desired certificate and then click Next.

    13. On the Private key protection page, enter the password for the certificate, select Mark this key as exportable and then click Next.

    14. Select Automatically select the certificate store based on the type of certificate and then click Next.

    15. Click Finish to close the Certificate Import Wizard.
    16. Click OK to close the import message.

  4. Bind the new certificate to port 443 on the default web site on all web servers by doing the following:
    1. From the Console Root tree of mmc, expand the Certificates and Personal nodes and the click Certificates.
    2. Locate the SSL certificate and then double-click it to open the Certificate Information dialog.
    3. From the Certificate Information dialog, click the Details tab and then locate and click the Thumbprint field.

    4. Copy the Thumbprint to a text editor, such as Notepad, and then click OK to close the Certificate Information editor.
    5. From the text editor, remove all spaces from the Thumbprint as shown below.

    6. Open a command prompt and run netsh http show sslcert  to retrieve the current port configuration.

    7. Remove the SSL certificate from by running  netsh http delete sslcert ipport=  from the command prompt. Change the port number as needed.

    8. Return to your text editor and copy the thumbprint of the new SSL certificate.

    9. Update the certificate binding for each port by running  netsh http add sslcert ipport= certhash=‎41845b701cdba6ae3ea1d8b81d17dc433acfbccc appid={5d89a20c-beab-4389-9447-324788eb944a}  from the command prompt. The certhash parameter should be set to the thumbprint for your SSL certificate. The appid parameter should be set to that retrieved above (by running netsh http show sslcert ).

  5. Open SQL Server Management Studio, expand Databases, and click the node for the EmpowerID database.
  6. In the toolbar, click the New Query button and execute  SELECT * FROM CertificateStore  to find the CertificateStoreID values for both the old and new certificates.

  7. Execute  UPDATE CertificateAppliesTo SET CertificateStoreID = 3 WHERE CertificateStoreID = 2  to update the CertificateAppliesTo table. This replaces the expired certificate with the new everywhere the expired certificate was used. Be sure to replace "2" and "3" with your certificate store IDs.

  8. Finally, execute  UPDATE EmpowerIDServer SET CertificateStoreID = 3  to update the EmpowerIDServer table's CertificateStoreID column. Be sure to replace "3" with the certificate store ID for the new certificate.

Certificate Requirements